CVE-2023-45143 Undici's cookie header not cleared on cross-origin redirect in fetch

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in...

CVE-2023-45143 Undici's cookie header not cleared on cross-origin redirect in fetch

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in...

Fedora: Security Advisory for python-urllib3 (FEDORA-2023-8f53bfe088)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 37 : python-urllib3 (2023-0806784f24)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-0806784f24 advisory. Update to 1.26.17: fix CVE-2023-43804 GHSA-v845-jxx5-vc9f Tenable has extracted the preceding description block directly from the Fedora security advisory...

[SECURITY] Fedora 38 Update: python-urllib3-1.26.17-1.fc38

urllib3 is a powerful, user-friendly HTTP client for Python. urllib3 brings many critical features that are missing from the Python standard libraries: =EF=BF=BD=EF=BF=BD=EF=BF=BD Thread safety. =EF=BF=BD=EF=BF=BD=EF=BF=BD Connection pooling. =EF=BF=BD=EF=BF=BD=EF=BF=BD Client-side SSL/TLS...

Fedora 38 : python-urllib3 (2023-8f53bfe088)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-8f53bfe088 advisory. Update to 1.26.17: fix CVE-2023-43804 GHSA-v845-jxx5-vc9f Tenable has extracted the preceding description block directly from the Fedora security advisory...

CVE-2023-43804

A flaw was found in urllib3, a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, which is the responsibility of the user. However, it is possible for a user to specify a Cookie header and...

CVE-2023-43804

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

CVE-2023-43804

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

CVE-2023-43804

CVE-2023-43804 affects the Python urllib3 library, where a Cookie header may be leaked across cross-origin redirects if redirects are not disabled. The issue is resolved in urllib3 1.26.17 or 2.0.5. Affected environments are confirmed in multiple reports, including AlmaLinux and Brocade advisorie...

CVE-2023-43804

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

CVE-2023-43804

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

CVE-2023-43804 `Cookie` HTTP header isn't stripped on cross-origin redirects

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

Mageia: Security Advisory (MGASA-2023-0272)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated java packages fix security vulnerabilities

The updated packages fix security vulnerabilities and a file conflict : Improper connection handling during TLS handshake. CVE-2023-21930 Incorrect enqueue of references in garbage collector. CVE-2023-21954 Certificate validation issue in TLS session negotiation. CVE-2023-21967 Swing HTML parsing...

MGASA-2023-0272 Updated java packages fix security vulnerabilities

The updated packages fix security vulnerabilities and a file conflict : Improper connection handling during TLS handshake. CVE-2023-21930 Incorrect enqueue of references in garbage collector. CVE-2023-21954 Certificate validation issue in TLS session negotiation. CVE-2023-21967 Swing HTML parsing...

Important: amazon-ecr-credential-helper

Issue Overview: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value...

LG Simple Editor Remote Code Execution Exploit

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious...

Exploit for OS Command Injection in Opentsdb

opentsdbkeycmdinjection An exploit for OpenTSDB -l -p -...

OESA-2023-1499 golang security update

The Go Programming Language. Security Fixes: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a...