Scrapy vulnerable to ReDoS via XMLFeedSpider

Impact The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack: - The XMLFeedSpider class or any subclass that uses the default node iterator: iternodes, as well as direct uses of the scrapy.utils.iterators.xmliter function. - Scrapy 2.6.0 to 2.11.0: The openinbrowser...

PT-2024-18399 · Scrapy +3 · Scrapy +3

Name of the Vulnerable Software and Affected Versions: Scrapy versions 2.6.0 through 2.11.0 Scrapy versions prior to 1.8.4 Description: A Regular Expression Denial of Service ReDoS vulnerability exists in the XMLFeedSpider class of the Scrapy project, specifically in the parsing of XML content. B...

python-multipart vulnerable to Content-Type Header ReDoS

Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely minutes or...

SCHLIX 2.2.8-1 Denial Of Service Exploit

Exploit Title: SCHLIX v2.2.8-1 Regular Expression Denial of Service Exploit Author: Diyar Saadi Vendor Homepage: https://www.schlix.com Software Link: https://www.schlix.com/html/schlix-cms-downloads.html Version: v2.2.8-1 Tested on: Windows 11 + XAMPP Description SCHLIX v2.2.8-1 is vulnerable to...

SCHLIX 2.2.8-1 Denial Of Service

Exploit Title: SCHLIX v2.2.8-1 Regular Expression Denial of Service Date: 02/10/2024 Exploit Author: Diyar Saadi Vendor Homepage: https://www.schlix.com Software Link: https://www.schlix.com/html/schlix-cms-downloads.html Version: v2.2.8-1 Tested on: Windows 11 + XAMPP Description SCHLIX v2.2.8-1...

Huawei EulerOS: Security Advisory for python-configobj (EulerOS-SA-2024-1161)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP5 : python-configobj (EulerOS-SA-2024-1161)

According to the versions of the python-configobj package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - All versions of the package configobj are vulnerable to Regular Expression Denial of Service ReDoS via the validate function, using...

Regular Expression Denial Of Service (ReDoS)

python-multipart is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to a Regular Expression with inefficient complexity utilized to parse the HTTP Content-Type header. An attacker can send a request with a crafted Content-Type option that consumes excessive CPU...

Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services

Three new security vulnerabilities have been discovered in Azure HDInsight's Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service ReDoS condition. "The new vulnerabilities affect any authenticated user of Azure...

Duplicate Advisory: FastAPI Content-Type Header ReDoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references. Original Description Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header,...

GHSA-93GM-QMQ6-W238 Duplicate Advisory: Starlette Content-Type Header ReDoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references. Original Description Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header,...

Duplicate Advisory: Starlette Content-Type Header ReDoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2jv5-9r88-3w3p. This link is maintained to preserve external references. Original Description Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header,...

CVE-2024-24762

CVE-2024-24762 affects python-multipart and describes a ReDoS in parsing the HTTP Content-Type header (options). An attacker can send a crafted Content-Type to exhaust CPU and stall the event loop. The vulnerability is fixed in version 0.0.7 by upstream patching the regex. Remediation is to upgra...

Fedora 38 : mingw-python-pygments (2024-db87ce2a47)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-db87ce2a47 advisory. Update to 2.15.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this...

Regular Expression Denial Of Service (ReDoS)

GitLab is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is caused due to a lack of input validation within Cargo.toml .An attacker can trigger a Regular Expression Denial of Service ReDoS by using a maliciously crafted input...

OESA-2024-1121 jruby security update

JRuby is a 100% Java implementation of the Ruby programming language. It is Ruby for the JVM. JRuby provides a complete set of core "builtin" classes and syntax for the Ruby language, as well as most of the Ruby Standard Libraries. Security Fixes: A ReDoS issue was discovered in the Time componen...

Regular Expression Denial Of Service (ReDoS)

Axios is vulnerable to Regular Expression Denial of Service ReDoS. This vulnerability is due to the use of a regex with inefficient time complexity when parsing URLS with many / characters within the combineURLs method. This vulnerability results in Denial of Service if an attacker can manipulate...

Regular Expression Denial Of Service (ReDoS)

nodemailer is vulnerable to Regular Expression Denial Of Service ReDoS. The vulnerability is due to improper parsing of image files when the parameter attachDataUrls is set, resulting in long or infinite parsing time...

nodemailer ReDoS when trying to send a specially crafted email

Summary A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. Details Regex:...

BIT-LIFERAY-2022-42124

ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected in...