USN-7280-3 python2.7 regression

USN-7280-2 fixed vulnerabilities in Python. It was discovered that the fixes for CVE-2025-0938 and CVE-2024-11168 were incorrectly applied on Ubuntu 14.04 LTS as a result. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Python...

ROS-20250929-15

Vulnerability of modssl function of Apache HTTP Server web server is related to flaws in the procedure of authentication procedure when processing the SSLEngine optional parameter. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service using the TLS...

Linux Distros Unpatched Vulnerability : CVE-2020-7739

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SS...

Linux Distros Unpatched Vulnerability : CVE-2020-13309

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was vulnerable to a blind SSRF attack through the repository mirrori...

Linux Distros Unpatched Vulnerability : CVE-2021-22179

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature. CVE-2021-22179 Note...

Linux Distros Unpatched Vulnerability : CVE-2024-22259

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation checks ...

CVE-2025-50234

MCCMS v2.7.0 has an SSRF vulnerability located in the index method of the sys\apps\controllers\api\Gf.php file, where the pic parameter is processed. The pic parameter is decrypted using the sysauth$pic, 1 function, which utilizes a hard-coded key McEncryptionKey bD2voYwPpNuJ7B8, defined in the...

ROS-20250804-02

A vulnerability in Apache Kafka Message Manager is related to flaws in the deserialization mechanism. Exploitation of the vulnerability could allow an attacker acting remotely to execute remote code Vulnerability in sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url client...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

CVE-2025-54590

CVE-2025-54590 affects webfinger.js (TypeScript WebFinger client). In versions 2.8.0 and earlier, the lookup function did not block localhost access (only basic localhost checks), enabling blind SSRF via crafted host/port/path in user addresses. Affected environments include browser and Node.js. ...

CVE-2025-54381 BentoML is Vulnerable to an SSRF Attack Through File Upload Processing

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP...

CVE-2025-54381 BentoML is Vulnerable to an SSRF Attack Through File Upload Processing

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP...

CVE-2025-54381

CVE-2025-54381 affects BentoML and its file-upload processing in versions 1.4.0–1.4.19. The vulnerability arises in the multipart form data and JSON request handlers, which download user-provided URLs without validating whether they point to internal networks, cloud metadata endpoints, or other r...

The vulnerability of the Apache HTTP Server web server, related to insufficient validation of incoming requests, allows attackers to perform SSRF attacks.

The vulnerability of the Apache HTTP Server is related to insufficient checking of incoming requests. Exploiting this vulnerability allows a malicious actor to perform an SSRF attack remotely...

CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF

The U.S. Cybersecurity and Infrastructure Security Agency CISA added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities KEV catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-2775 CVSS score: 9...

XXL-JOB is vulnerable to SSRF attacks

A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch...

Oracle Coherence (July 2025 CPU)

The 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 versions of Coherence installed on the remote host are affected by a vulnerability as referenced in the July 2025 CPU advisory. - Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class,...

PT-2025-27002 · Github · Octo-Sts

Name of the Vulnerable Software and Affected Versions: Octo-STS versions prior to v0.5.3 Description: Octo-STS is a GitHub App that acts like a Security Token Service STS for the GitHub API. The issue allows for unauthenticated Server-Side Request Forgery SSRF by abusing fields in OpenID Connect...

Advisory ROSA-SA-2025-2901

Software: httpd 2.4.37 OS: ROSA Virtualization 2.1 packageevrstring: httpd-2.4.37-51.rv3.5 CVE-ID: CVE-2024-38472 BDU-ID: 2024-05354 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the Apache HTTP Server web server is related to insufficient validation of incoming requests. Exploitation of the...

Security Bulletin: Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-6763]

Summary The jetty-http package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-6763 Vulnerability Details CVEID:CVE-2024-6763 DESCRIPTION: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet...