CVE-2023-44487

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

AZL-31333 CVE-2023-44487 affecting package nginx for versions less than 1.22.1-11

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: gke-gcloud-auth-plugin, dgraph, nginx-mainline, kubewatch, ollama, mc, pulumi-language-dotnet, terraform-provider-aws, pulumi-kubernetes-operator, aws-efs-csi-driver, flux-kustomize-controller, nghttp2, fuse-overlayfs-snapshotter, wireguard-go, kubeflow-katib,...

AZL-35028 CVE-2023-44487 affecting package nginx for versions less than 1.25.4-1

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

K000137106: HTTP/2 vulnerability CVE-2023-44487

Security Advisory Description The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 also known as HTTP/2 Rapid Reset Attack Impact BIG-IP and...

K000135944: Attack signature check security exposure

Security Advisory Description BIG-IP Advanced WAF, BIG-IP ASM, and NGINX App Protect systems incorrectly handle certain requests. This issue occurs when the following condition is met: BIG-IP Advanced WAF, BIG-IP ASM, and NGINX App Protect handle a crafted request with the parameter value. Impact...

CVE-2023-44487

The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...

Amazon Linux 2 : nginx (ALASNGINX1-2023-001)

The version of nginx installed on the remote host is prior to 1.22.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NGINX1-2023-001 advisory. NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, a...

Amazon Linux 2 : nginx (ALASNGINX1-2023-003)

The version of nginx installed on the remote host is prior to 1.20.0-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2023-003 advisory. A flaw was found in nginx. An off-by-one error while processing DNS responses allows a network attacker to write a dot characte...

Amazon Linux 2 : nginx (ALASNGINX1-2023-002)

The version of nginx installed on the remote host is prior to 1.20.0-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2023-002 advisory. ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but...

Amazon Linux 2 : nginx (ALASNGINX1-2023-004)

The version of nginx installed on the remote host is prior to 1.18.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2023-004 advisory. NGINX before 1.17.7, with certain errorpage configurations, allows HTTP request smuggling, as demonstrated by the ability of an...

Amazon Linux 2 : nginx (ALASNGINX1-2023-005)

The version of nginx installed on the remote host is prior to 1.20.0-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2023-005 advisory. The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, befor...

openSUSE 15 Security Update : modsecurity (openSUSE-SU-2023:0257-1)

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0257-1 advisory. - DISPUTED Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports Trustwave has...

Medium: nginx

Issue Overview: NGINX before 1.17.7, with certain errorpage configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. CVE-2019-20372 Affected Packages: nginx Note: Th...

Medium: nginx

Issue Overview: The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local...

Medium: nginx

Issue Overview: ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can...

Medium: nginx

Issue Overview: NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttpmp4module that might allow a local attacker to corrupt NGINX worker memor...

Important: nginx

Issue Overview: A flaw was found in nginx. An off-by-one error while processing DNS responses allows a network attacker to write a dot character out of bounds in a heap allocated buffer which can allow overwriting the least significant byte of next heap chunk metadata likely leading to a remote...

plone.rest vulnerable to Denial of Service when ++api++ is used many times

Impact When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. Workarounds In your frontend web server nginx, Apac...

GHSA-H6RP-MPRM-XGCQ plone.rest vulnerable to Denial of Service when ++api++ is used many times

Impact When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. Workarounds In your frontend web server nginx, Apac...