195 matches found
SUSE-SU-2024:3357-1 Security update for python310
This update for python310 fixes the following issues: - Update to version 3.10.15 - CVE-2024-8088: Fixed denial of service in zipfile. bsc1229704 - CVE-2024-7592: Fixed uncontrolled CPU resource consumption when in http.cookies module. bsc1229596 - CVE-2024-6232: Fixed ReDos via excessive...
SUSE-SU-2024:3303-1 Security update for python312
This update for python312 fixes the following issues: - Update to 3.12.6 - CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module. bsc1228780. - CVE-2024-7592: Fixed Email header injection due to unquoted newlines. bsc1229596 - CVE-2024-6232: Fixed ReDos via...
CVE-2024-45597 Pluto's http.request allows CR and LF in header values
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table...
CVE-2024-45597 Pluto's http.request allows CR and LF in header values
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table...
Pluto 注入漏洞
Pluto is a unique language for Lua open-sourced by PlutoLang. It is used for general-purpose programming. An injection vulnerability exists in Pluto versions 0.9.0 through 0.9.4, which stems from the fact that scripts passing user-controlled values to the http.request header value can be affected...
PT-2024-31699 · Pluto · Pluto
Name of the Vulnerable Software and Affected Versions: Pluto affected versions not specified Description: The issue affects scripts that pass user-controlled values to http.request header values. An attacker could exploit this to send arbitrary requests, potentially leveraging authentication toke...
Incorrect Handling Of HTTP Headers
github.com/envoyproxy/envoy is vulnerable to Incorrect Handling of HTTP Headers. The vulnerability is due to setCopy header map API not replacing all existing occurrences of a non-inline header and only considering the first value when multiple header values are present. This allows an attackers ...
CRLF Injection
tornado is vulnerable to CRLF Injection. The vulnerability is due to improper CR/LF checks allowing for the inclusion of attacker-controlled header values in requests, which allows arbitrary headers or requests to be sent to a specified server...
SUSE CVE-2020-25017
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy's setCopy header map API does not replace all existing occurences of a non-inline header...
jetty: hpack header values cause denial of service in http/2
A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the trueMetaDataBuilder.checkSize, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service Do...
PT-2024-2567 · Unknown +2 · Erlang-Jose +2
Name of the Vulnerable Software and Affected Versions: erlang-jose versions through 1.11.6 Description: The issue is related to an uncontrolled resource consumption in the erlang-jose module for JSON object signing and encryption for Erlang and Elixir languages. This can be exploited by a remote...
CLSA-2024-1710436968 squid: Fix of CVE-2024-25617
CVE-2024-25617: Improve handling of expanding HTTP header values to prevent DoS...
CLSA-2024-1710436895 squid: Fix of CVE-2024-25617
CVE-2024-25617: Improve handling of expanding HTTP header values to prevent DoS...
BIT-JUPYTER-NOTEBOOK-2022-24758 Insertion of Sensitive Information into Log File affects Jupyter Notebook
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by...
CVE-2024-23644
Trillium is a composable toolkit for building internet applications with async rust. In trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4, insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...
PT-2024-19995 · Unknown · Trillium-Http +1
Name of the Vulnerable Software and Affected Versions: trillium-http versions prior to 0.3.12 trillium-client versions prior to 0.5.4 Description: Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...
jetty: hpack header values cause denial of service in http/2
A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the trueMetaDataBuilder.checkSize, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service Do...
Buffer Overflow
libz.so is vulnerable to Buffer Overflow. The vulnerability is present due to the absence of length checks in the filename, extrafield, and comment parameters within the zip.c. This oversight enables an attacker to trigger an integer overflow, leading to a heap-based buffer overflow in the...
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS : Node.js vulnerabilities (USN-6380-1)
The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6380-1 advisory. Rogier Schouten discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into...