tomcat: Apache Tomcat denial of service

A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service...

[SECURITY] Fedora 41 Update: rust-h2-0.4.12-1.fc41

An HTTP/2 client and server...

Netty 安全漏洞

Netty is a non-blocking I/O client-server framework from the Netty community, which is primarily used for developing Java web applications such as protocol servers and clients. A security vulnerability exists in Netty versions prior to 4.1.124.Final and 4.2.4.Final, which stems from a flaw in the...

SUSE Linux多款产品 安全漏洞

SUSE Linux Enterprise Desktop is an enterprise server version of the Linux desktop operating system from SUSE Germany. A security vulnerability exists in various SUSE Linux products that originates from a stream reset in the HTTP/2 implementation that results in excessive consumption of server...

HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames

Overview A vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service DoS attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. Some vendors have assigned a specific CVE to their...

Security update for tomcat

This update for tomcat fixes the following issues: CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload bsc1246388 CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability bsc1246318 Patch Instructions: To install...

The vulnerability of the Device Admin App operating system ctrlX OS allows a perpetrator to select user account names.

The vulnerability of the Device Admin App on the ctrlX OS involves unlimited distribution of resources. Exploiting this vulnerability allows a malicious actor to select user account names by sending specially crafted HTTP requests remotely...

jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGSMAXHEADERLISTSIZE parameter...

Bosch Rexroth ctrlX OS 安全漏洞

Bosch Rexroth ctrlX OS is a Linux-based real-time operating system from Bosch Rexroth, Germany, designed as an open control platform for industrial automation equipment. A security vulnerability exists in Bosch Rexroth ctrlX OS that originates from a specially crafted HTTP request in the web...

WebServer 注入漏洞

WebServer is a C++ Linux WebServer server by MARK Individual Developers. An injection vulnerability exists in WebServer version 1.0, which originates from SQL injection due to manipulation of username/password parameters by the Login component in the file code/http/httprequest.cpp...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttlin...

CLSA-2025-1742319076 Fix CVE(s): CVE-2023-44487

SECURITY UPDATE: The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly - debian/patches/CVE-2023-44487.patch: HTTP/2 - per-iteration stream handling limit. - CVE-2023-44487...

Astra Linux – Vulnerability in Apache2

Servicing WebSocket protocol upgrades over an HTTP/2 connection may lead to a Null Pointer dereference, causing the server process to crash and degrading performance...

The vulnerability of the microprogrammed software of the multi-environmental electrical voltage measuring instrument PowerLogic HDPM6000, related to bypassing authentication by using a user-controlled key, allows intruders to escalate their privileges.

The vulnerability of the microprogrammed software of the multi-environmental electrical voltage measuring instrument PowerLogic HDPM6000 lies in the ability to bypass authentication by using a user-controlled key. Exploiting this vulnerability allows an attacker to enhance their privileges by...

waitress: python-waitress: request processing race condition in HTTP pipelining with invalid first request

A flaw was found in the Waitress WSGI server for Python. A remote client can send a request that is exactly recvbytes, which defaults to 8192 long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled default, Waitress won't read any more requests, and when th...

The vulnerability of the ccmdebug_m() function in the microprogramming software for the Annke Crater 2 (F300) camera allows a intruder to execute arbitrary commands.

The vulnerability of the ccmdebugm function in the Annke Crater 2 F300 IP camera software lies in the lack of measures taken to neutralize special elements used in the operating system commands. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands by sending a...

Important: perl-App-cpanminus

Issue Overview: The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers. CVE-2024-45321 Affected Packages: perl-App-cpanminus Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section...

CVE-2024-30124

HCL Sametime is impacted by insecure services in-use on the UIM client by default. An unused legacy REST service was enabled by default using the HTTP protocol. An attacker could potentially use this service endpoint maliciously...

The vulnerability of the Site Hierarchy Flows component of the Oracle Site Hub data storage and management system, a part of the Oracle E-Business Suite, allows an attacker to access, modify, add, and delete data.

The vulnerability of the Site Hierarchy Flows component of the Oracle Site Hub data storage and management system, a part of the Oracle E-Business Suite automation system for enterprise activities, is related to authentication errors. Exploiting this vulnerability could allow an attacker to gain...

PT-2024-39302 · Circutor · Circutor Q-Smt

Name of the Vulnerable Software and Affected Versions: CIRCUTOR Q-SMT version 1.0.4 Description: An attacker with access to the network where the CIRCUTOR Q-SMT is located could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol,...