Apache Traffic Server (ATS) 8.0.0 < 8.1.3, 9.0.0 < 9.1.1 Multiple Vulnerabilities

Apache Traffic Server is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:trafficserver"...

CVE-2021-37148 Request Smuggling - transfer encoding validation

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1...

F5 Networks BIG-IP : Apache Tomcat vulnerability (K32469285)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K32469285 advisory. Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP...

Updated tomcat packages fix security vulnerability

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. CVE-2021-30640 Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not...

Security Bulletin: Netty Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator

Summary IBM Sterling B2B Integrator has addressed the security vulnerabilities. Vulnerability Details CVEID: CVE-2019-20445 DESCRIPTION: Netty could provide weaker than expected security, caused by non-proper handling of Content-Length and Transfer-Encoding in the HttpObjectDecoder.java. A remote...

Amazon Linux AMI : tomcat8 (ALAS-2021-1535)

The version of tomcat8 installed on the remote host is prior to 8.5.69-1.88. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1535 advisory. Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding...

HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack

A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively...

Medium: tomcat8

Issue Overview: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly...

HTTP Request Smuggling in hyper

Summary hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary different...

GHSA-6HFQ-H8HQ-87MF HTTP Request Smuggling in hyper

Summary hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary different...

GHSA-7V2R-WXMG-MGVC HTTP Request smuggling in tiny_http

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...

HTTP Request smuggling in tiny_http

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...

GHSA-4VWW-MC66-62M6 HTTP Request Smuggling in Apache Tomcat

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer...

tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line EOL parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

Debian DLA-2733-1 : tomcat8 - LTS security update

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2733 advisory. - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protecti...

[SECURITY] [DLA 2733-1] tomcat8 security update

Debian LTS Advisory DLA-2733-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany August 05, 2021 https://wiki.debian.org/LTS Package : tomcat8 Version : 8.5.54-0+deb9u7 CVE ID : CVE-2021-30640 CVE-2021-33037 Debian Bug : 991046 991046 Several security vulnerabilitie...

FreeBSD : tomcat -- HTTP request smuggling in multiple versions (d34bef0b-f312-11eb-b12b-fc4dd43e2b6a)

Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab reports : Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignore...

Apache Tomcat 8.5.0 < 8.5.68

The version of Tomcat installed on the remote host is prior to 8.5.68. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat8.5.68security-8 advisory. - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP...

Apache Tomcat 9.0.0.M1 < 9.0.48

The version of Tomcat installed on the remote host is prior to 9.0.48. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat9.0.48security-9 advisory. - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP...