CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...

Design/Logic Flaw

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...

UBUNTU-CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...

CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...

CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...

Vulnerability fixed in Ngnix

F5 has fixed a vulnerability in NGINX. The vulnerability makes it possible to perform a denial-of-service attack by sending corrupt json data. The vulnerability is specifically in the JSON parser of the ModSecurity WAF module of NGINX Plus. F5 has made updates available to fix the vulnerability...

ModSecurity 安全漏洞

ModSecurity is an intrusion detection and blocking engine that can be run as a module of the Apache Web Server or as a standalone application to enhance the security of Web applications and protect Web applications from known and unknown attacks. A security vulnerability exists in the NGINX...

New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers

E-commerce platforms in the U.S., Germany, and France have come under attack from a new form of malware that targets Nginx servers in an attempt to masquerade its presence and slip past detection by security solutions. "This novel code injects itself into a host Nginx application and is nearly...

Exploit for Improper Encoding or Escaping of Output in F5 Nginx

This repository is an open-source collection of vulnerable systems and applications for educational purposes, specifically for penetration testing and vulnerability assessment. It is maintained by phith0n and hosted on GitHub. The repository contains various vulnerable systems and applications,...

openssl security update

1:1.1.1k-4 - Fixes bugs in s390x AES code. - Uses the first detected address family if IPv6 is not available - Reverts the changes in https://github.com/openssl/openssl/pull/13305 as it introduces a regression if server has a DSA key pair, the handshake fails when the protocol is not explicitly s...

vulhub1

This is a repository for a project called Vulhub, which appears to be a collection of vulnerable systems and applications for testing and learning purposes. The repository contains various files and directories, including: 1. .gitattributes: A file that specifies which files should be ignored by...

pwnSpoof - Generates realistic spoofed log files for common web servers with customisable attack scenarios

pwnSpoof from Punk Security generates realistic spoofed log files for common web servers with customisable attack scenarios. Every log bundle is unique and completely customisable, making it perfect for generating CTF scenarios and for training serials. Can you find the attacker session and build...

CRLF Injection in phpservermon/phpservermon

Description misconfig of nginx lead to crlf injection In nginx, $uri is url decoded, which will decode %0d%0a to CRLF. code: return 301 http://$uri; Proof of Concept A request to: http://www.test.com/%0d%0afakeheader:123%0d%0a%0d%0afakecontent Impact CRLF Injection allows an attacker to inject...

[ASA-202111-7] kubectl-ingress-nginx: information disclosure

Arch Linux Security Advisory ASA-202111-7 ========================================= Severity: High Date : 2021-11-18 CVE-ID : CVE-2021-25742 Package : kubectl-ingress-nginx Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2490 Summary ======= The package...

openssl security and bug fix update

1:1.1.1k-4 - Fixes bugs in s390x AES code. - Uses the first detected address family if IPv6 is not available - Reverts the changes in https://github.com/openssl/openssl/pull/13305 as it introduces a regression if server has a DSA key pair, the handshake fails when the protocol is not explicitly s...

in jitsi/jicofo

Description misconfigurations of nginx lead to a path traversal vulnerability. Proof of Concept according to https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md?plain=1L251 a request to /shibboleth-sp../ can get any file under /usr/share Impact An attacker can access files on the web...

Path Traversal in welliamcao/opsmanage

漏洞 README.md文件中的nginx配置存在安全漏洞，导致恶意攻击者可以任意读取项目中的文件。 POC 对于github上的demo地址，一种可行的攻击方式为： http://42.194.214.22:8000/static../ 可以看到读取到整个项目的文件。如果用户对该项目进行过二开，并在init.sql，conf/中写入了一些敏感信息，可能造成较大危害 影响 攻击者可以读取项目目录下任意文件...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.4 images and security updates

Red Hat Advanced Cluster Management for Kubernetes 2.4.0 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...

Security Bulletin: A security vulnerability in NGINX affects IBM Cloud Pak for Multicloud Management Managed Services

Summary A security vulnerability in NGINX affects IBM Cloud Pak for Multicloud Management Managed Services. Vulnerability Details CVEID: CVE-2021-3618 DESCRIPTION: Sendmail, vsftpd and NGINX could provide weaker than expected security, caused by an ALPACA application layer protocol content...

new module: nginx:1.20

An update is available for nginx. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list This enhancement update adds the nginx:1.20 module to Rocky Linux 8. BZ1945671...