330 matches found
CVE-2023-49082
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request e.g. insert a new header or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if th...
aiohttp's ClientSession is vulnerable to CRLF injection via method
Summary Improper validation makes it possible for an attacker to modify the HTTP request e.g. insert a new header or even create a new HTTP request if the attacker controls the HTTP method. Details The vulnerability occurs only if the attacker can control the HTTP method GET, POST etc. of the...
Rocky Linux 8 : firefox (RLSA-2022:8554)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:8554 advisory. - Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined wi...
SUSE CVE-2023-45142
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
Apache Shenyu Server Side Request Forgery vulnerability
There exists an SSRF Server-Side Request Forgery vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability...
GHSA-7W8V-5FCQ-PVQW Apache Shenyu Server Side Request Forgery vulnerability
There exists an SSRF Server-Side Request Forgery vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability...
CVE-2023-25753 Server-Side Request Forgery in Apache ShenYu
There exists an SSRF Server-Side Request Forgery vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability...
CVE-2023-25753
CVE-2023-25753 affects Apache ShenYu 2.5.1. The vulnerability is a Server-Side Request Forgery (SSRF) at the /sandbox/proxyGateway endpoint, allowing an attacker to inject arbitrary URLs via the requestUrl parameter and manipulate the resulting HTTP request. The issue enables control over the HTT...
CVE-2023-25753 Server-Side Request Forgery in Apache ShenYu
There exists an SSRF Server-Side Request Forgery vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability...
GHSA-RCJV-MGP8-QVMR OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
Summary This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.goL63-L65 out of the box adds labels - http.useragent - http.method that have unbound cardinality. It leads to the server...
Allocation of Resources Without Limits or Throttling
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
Allocation of Resources Without Limits or Throttling
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
Allocation of Resources Without Limits or Throttling
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
WP < 6.3.2 - Denial of Service via Cache Poisoning
Description A Denial of Service could occur via Cache Poisoning when the X-HTTP-Method-Override header is sent in a request to the REST API in an heavily cached configuration...
AZL-33347 CVE-2023-45142 affecting package moby-compose for versions less than 2.17.3-7
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
AZL-35437 CVE-2023-45142 affecting package docker-buildx for versions less than 0.14.0-1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
AZL-35069 CVE-2023-45142 affecting package opa for versions less than 0.63.0-1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
AZL-31303 CVE-2023-45142 affecting package cri-tools for versions less than 1.29.0-2
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
AZL-33516 CVE-2023-45142 affecting package opa for versions less than 0.63.0-1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...
AZL-34580 CVE-2023-45142 affecting package cert-manager for versions less than 1.12.12-1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP...