CVE-2022-41721

CVE-2022-41721 describes a request-smuggling issue in Go’s HTTP/2 handling via the MaxBytesHandler. When the handler does not fully consume the request body, the server may read HTTP/2 frames from the body stream instead of the network, allowing an attacker to craft body content that represents a...

CVE-2022-41721 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be...

CVE-2022-41721

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be...

GO-2023-1495 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be...

OESA-2023-1031 jetty security update

Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server like Apache in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate...

PT-2023-5866

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.57 Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0 F5 NGINX products affected versions not specified gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3 IBM HTTP...

AZL-44487 CVE-2022-41717 affecting package podman for versions less than 5.6.1-2

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate...

grunt-yellowlabtools (>=0.0.1 <=1.2.1), install-is (>=1.4.0 <=1.4.2) +3 more potentially affected by CVE-2022-25906 via is-http2 (>=1.0.4 <=1.2.0)

is-http2 NPM version =1.0.4, =0.0.1, =1.4.0, =1.0.0, =1.10.0, =1.13.4 Source cves: CVE-2022-25906 Source advisory: SNYK:JS-ISHTTP2-3153878...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function. PoC javascript var root = require"is-http2" root"./",openssl:"touch JHU" Remediation There is no fixed version for...

Important: Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update

A minor version update from 7.11 to 7.11.1 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability...

Varnish Cache 安全漏洞

Varnish Cache is a set of reverse web caching servers. A security vulnerability exists in Varnish Cache version 5.x, version 6.x up to and including version 6.0.11, version 7.x up to and including version 7.1.2, and version 7.2.x up to and including version 7.2.1. An attacker exploits this...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS on HTTP/2 servers. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS on HTTP/2 servers. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS. Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. Details Denial of Service DoS describes a family of...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS on HTTP/2 servers. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users...

Integer Overflow or Wraparound

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Integer Overflow or Wraparound. This can result in a DoS, caused by a network peer sending a specially crafted HPACK-encoded header block. Remediation Upgrade apple/swift-nio-http2...

Denial of Service (DoS)

Overview apple/swift-nio-http2 is a HTTP/2 support for SwiftNIO. Affected versions of this package are vulnerable to Denial of Service DoS. This can be caused by a network peer sending a specially crafted HTTP/2 frame, due to a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSHPROMISE fra...

httpd: Request splitting via HTTP/2 method injection and mod_proxy

A NULL pointer dereference was found in Apache httpd modh2. The highest threat from this flaw is to system integrity...

traefik -- Use of vulnerable Go module x/net/http2

The Go project reports: A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, whi...

Medium: containerd, docker

Issue Overview: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-27664 Affected Packages: containerd, docker Note: This advisory is applicabl...