16 matches found
Denial Of Service (DoS)
Tornado is vulnerable to Denial of Service DoS. The vulnerability is due to synchronous parsing of multipart/form-data without limiting the number of parts, allowing attackers to send large requests with many parts that consume excessive CPU and block the main thread...
Tornado is vulnerable to DoS due to too many multipart parts
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart...
EUVD-2023-1026
Malicious code in bioql PyPI...
SUSE CVE-2024-4140
An excessive memory use issue CWE-770 exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set from 2020 and 2024 limits excessive depth and the total number of parts...
rubygem-rack: Denial of service in Multipart MIME parsing
A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than...
GHSA-CX6H-86XW-9X34 Apache Tomcat - Fix for CVE-2023-24998 was incomplete
The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded...
DEBIAN-CVE-2023-28709
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted...
rubygem-rack: Denial of service in Multipart MIME parsing
A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than...
OESA-2023-1237 golang security update
The Go Programming Language. Security Fixes: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can...
AZL-37431 CVE-2023-24536 affecting package golang for versions less than 1.21.6-1
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
AZL-79062 CVE-2023-24536 affecting package golang 1.25.7-1
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
AZL-26028 CVE-2023-24536 affecting package msft-golang for versions less than 1.20.7-1
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
SUSE CVE-2023-24536
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
Allocation of Resources Without Limits or Throttling
Overview std/net/textproto is a Go standard library package std/net/textproto Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Multipart form parsing can consume large amounts of CPU and memory when processing form...
Allocation of Resources Without Limits or Throttling
Overview std/mime/multipart is a Go standard library package std/mime/multipart Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Multipart form parsing can consume large amounts of CPU and memory when processing for...
GHSA-H76P-MC68-JV3P Denial of service in Jenkins Core
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service...