1620 matches found
CVE-2013-7397
Async Http Client aka AHC or async-http-client before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a...
CVE-2013-7398
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client aka AHC or async-http-client before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate...
Medium: python27
Issue Overview: It was discovered that multiple Python standard library modules implementing network protocols such as httplib or smtplib failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of...
Updated async-http-client packages fix security vulnerabilities
Updated async-http-client packages fix security vulnerabilities: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also uses client certificates. This can be exploited by a Man-in-the-middle MITM attack...
MGASA-2015-0212 Updated async-http-client packages fix security vulnerabilities
Updated async-http-client packages fix security vulnerabilities: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also uses client certificates. This can be exploited by a Man-in-the-middle MITM attack...
Fedora 20 : async-http-client-1.7.22-2.fc20 (2015-6891)
Security fix for CVE-2013-7398, CVE-2013-7397 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues...
Fedora Update for async-http-client FEDORA-2015-6891
The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 20 Update: async-http-client-1.7.22-2.fc20
Async Http Client library purpose is to allow Java applications to easily execute HTTP requests and asynchronously process the HTTP responses. The Async HTTP Client library is simple to use...
[SECURITY] Fedora 22 Update: python-httplib2-0.9-6.fc22
A comprehensive HTTP client library that supports many features left out of other HTTP libraries...
async-http-client: missing hostname verification for SSL certificates
It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any...
async-http-client: SSL/TLS certificate verification is disabled under certain conditions
It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle MITM attacker could use this flaw to spoof a valid certificate...
async-http-client: SSL/TLS certificate verification is disabled under certain conditions
It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle MITM attacker could use this flaw to spoof a valid certificate...
QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)
Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection Date: 7 February 2015 Exploit Author: Patrick Pellegrino | [email protected] work / [email protected] other Employer homepage: http://www.securegroup.it Vendor...
Generic Web Application DLL Injection
This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. This module requires...
Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation Exploit
This module exploits a stacked SQL injection in order to add an administrator user to the SolarWinds Orion database. Usage Info msf use auxiliary/gather/solarwindsorionsqli msf auxiliarysolarwindsorionsqli show actions ...actions... msf auxiliarysolarwindsorionsqli set ACTION msf...
Lexmark MarkVision Enterprise - Arbitrary File Upload (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Lexmark MarkVision Enterprise Arbitrary File Upload', 'Description' = %q This module exploits a code execution flaw in Lexmark...
ActualAnalyzer Cookie Command Execution Vulnerability
This Metasploit module exploits a command execution vulnerability in ActualAnalyzer version 2.81 and prior. The 'aa.php' file allows unauthenticated users to execute arbitrary commands in the 'ant' cookie. This module requires Metasploit: http://metasploit.com/download Current source:...
Device42 WAN Emulator 2.3 - Ping Command Injection (Metasploit)
Device42 WAN Emulator 2.3 - Ping Command Injection Metasploit This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'WAN Emulator v2.3 Command Execution', 'Description' = %q , 'License' =...
Device42 Traceroute Command Injection
This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'WAN Emulator v2.3 Command Execution', 'Description' = %q , 'License' = MSFLICENSE, 'Privileged' = true, 'Platform' = 'unix', 'Arch' =...
Device42 Ping Command Injection
This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'WAN Emulator v2.3 Command Execution', 'Description' = %q , 'License' = MSFLICENSE, 'Privileged' = true, 'Platform' = 'unix', 'Arch' =...