31 matches found
USN-8416-1: Go Networking vulnerability
It was discovered that Go Networking incorrectly handled certain Punycode-encoded labels in the idna package. An attacker could possibly use this issue to bypass hostname-based access restrictions...
DEBIAN-CVE-2026-45409
Internationalized Domain Names in Applications IDNA for Python provides support for Internationalized Domain Names in Applications IDNA and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as "\u0660" N or "\u30fb" N + "\u6f22" utilize the validcontexto function pri...
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" N or "\u30fb" N + "\u6f22" utilize the validcontexto function prior to length rejection, and for high values of N will take a long time to process. Impact A speciall...
GHSA-CM33-6792-R9FM Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)
Security Vulnerability Report: DNS Codec Input Validation Bypass in Netty Encoder + Decoder 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions with codec-dns | | Component | io.netty.handler.codec.dns.DnsCodecUtil | |...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper HTML encoding of page names in search results. An attacker can execute arbitrary JavaScript in the context of users viewing the affected search results by injecting malicious scripts through the pag...
CVE-2020-37167
ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious...
CVE-2020-37167 ClamAV ClamBC < 0.103.0-rc - 'ClamBC' Executable Regular Expression Error
ClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious...
EUVD-2019-0685
Malware in sbrugna...
python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()
A flaw was found in the python-idna library. A malicious argument was sent to the idna.encode function can trigger an uncontrolled resource consumption, resulting in a denial of service...
python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()
A flaw was found in the python-idna library. A malicious argument was sent to the idna.encode function can trigger an uncontrolled resource consumption, resulting in a denial of service...
The vulnerability of the idna.encode() function in internationalized domain names in applications allows a violator to trigger a service denial.
The vulnerability of the idna.encode function in internationalized domain names in applications is related to uncontrolled resource consumption. Exploiting this vulnerability could allow a malicious actor to cause service failures...
UBUNTU-CVE-2021-47401
In the Linux kernel, the following vulnerability has been resolved: ipack: ipoctal: fix stack information leak The tty driver name is used also after registering the driver and must specifically not be allocated on the stack to avoid leaking information to user space or triggering an oops. Driver...
UBUNTU-CVE-2023-5512
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
PT-2023-32144 · Gitlab · Gitlab Ce/Ee +1
Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.3 through 16.4.3 GitLab CE/EE versions 16.5 through 16.5.3 GitLab CE/EE versions 16.6 through 16.6.1 Description: An issue has been discovered in GitLab CE/EE where file integrity may be compromised when specific HTML...
SUSE CVE-2019-12402
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress...
PT-2023-12821 · Unknown · Serve-Lite
Name of the Vulnerable Software and Affected Versions: serve-lite versions all Description: The issue arises when the software detects a request to a directory and renders a file listing of its contents. This listing includes links with actual file names, but these names are not sanitized or outp...
CVE-2022-43551
A vulnerability exists in curl 7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypasse...
Another HSTS bypass via IDN
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. The HSTS mechanism could be bypassed if the hostname in the given URL first uses...
PT-2021-24130 · Privoxy +4 · Privoxy +4
Name of the Vulnerable Software and Affected Versions: Privoxy affected versions not specified Description: A cross-site scripting XSS issue was discovered in Privoxy. The problem was addressed by encoding the template name in the cgi error no template function when Privoxy is set to serve the us...
The vulnerability of DHCP clients for UNIX-based command-line tools like BusyBox, related to integer overflows in value manipulation, allows attackers to trigger a service failure.
The vulnerability of DHCP clients that use UNIX command-line utilities with BusyBox is related to integer overflows. Exploiting this vulnerability allows an attacker to cause a service failure by using a modified domain name with the RFC1035 encoding...