CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1164 matches found

Debian CVE•added 2024/04/16 12:0 a.m.•43 views

CVE-2024-1135

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

7.5CVSS7.9AI score0.02996EPSS

Exploits0

CNNVD•added 2024/04/15 12:0 a.m.•2 views

Gunicorn 环境问题漏洞

Gunicorn is a Python web server gateway interface HTTP server from the Gunicorn open source. Gunicorn suffers from an environment issue vulnerability that stems from an inability to properly validate the Transfer-Encoding header, resulting in an HTTP Request Smuggling HRS attack...

7.5CVSS7.6AI score0.02996EPSS

Exploits0References7

BDU FSTEC•added 2024/03/20 12:0 a.m.•3 views

The vulnerability of the aiohttp HTTP client, related to deficiencies in handling headers like Content-Length and Transfer-Encoding, allows attackers to send hidden HTTP requests (HTTP Request Smuggling attack).

The vulnerability of the aiohttp HTTP client is related to deficiencies in handling headers such as Content-Length and Transfer-Encoding. Exploiting this vulnerability allows an attacker to send hidden HTTP requests remotely HTTP Request Smuggling attack...

6.5CVSS6.3AI score0.0094EPSS

Exploits4References4Affected Software2

OSV•added 2024/03/06 7:15 p.m.•0 views

UBUNTU-CVE-2024-25111

Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunke...

8.6CVSS7.2AI score0.65254EPSS

Exploits0References6

OSV•added 2024/03/06 11:10 a.m.•38 views

BIT-TOMCAT-2021-33037 Incorrect Transfer-Encoding handling with HTTP/1.0

Apache Tomcat 10.0.0 to 10.0.6, 9.0.0 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer...

5.3CVSS6.8AI score0.75353EPSS

Exploits1References17

OSV•added 2024/03/06 11:6 a.m.•32 views

BIT-RUBY-2020-25613

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

7.5CVSS7.8AI score0.03772EPSS

Exploits0References9

OSV•added 2024/03/06 11:4 a.m.•30 views

BIT-NODE-2022-32213

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...

6.5CVSS7.3AI score0.35079EPSS

Exploits1References8

OSV•added 2024/03/06 11:3 a.m.•16 views

BIT-GOLANG-2022-1705 Improper sanitization of Transfer-Encoding headers in net/http

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid...

6.5CVSS7.4AI score0.01113EPSS

Exploits1References7

Tenable Nessus•added 2024/03/06 12:0 a.m.•12 views

HTTP Request Smuggling

Modern web applications are often deployed with a chain of HTTP servers which ensure the transmission of the HTTP traffic from users to the service. Typical deployments include the usage of a front-end server, usually a load balancer or a reverse proxy, which will then transmit the requests to on...

7.5AI score

Exploits0References2

BDU FSTEC•added 2024/02/15 12:0 a.m.•3 views

The vulnerability of the http parser() function in the Apache bRPC RPC framework allows a attacker to send hidden HTTP requests (HTTP Request Smuggling attack).

The vulnerability of the http parser function in the Apache bRPC RPC framework is related to a discrepancy in the RFC-7230 HTTP 1.1 specification regarding the handling of HTTP requests when processing fields such as Transfer-Encoding and Content-Length. Exploiting this vulnerability allows an...

7.8CVSS7.2AI score0.01637EPSS

Exploits0References7Affected Software1

OSV•added 2024/02/08 9:15 a.m.•32 views

CVE-2024-23452

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.51.7.0 on all platforms allows attacker to smuggle request. Vulnerability Cause Description： The httpparser does not comply with the RFC-7230 HTTP 1.1 specification. Attack scenario: If a message is received with both a...

7.5CVSS7.4AI score

Exploits0References4

Tenable Nessus•added 2024/02/06 12:0 a.m.•40 views

Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2024-017)

The version of tomcat installed on the remote host is prior to 8.5.69-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2024-017 advisory. 2024-02-15: CVE-2021-30640 was added to this advisory. 2024-02-15: CVE-2021-33037 was added to this advisory. A...

6.5CVSS7.3AI score0.75353EPSS

Exploits4References8

Amazon•added 2024/02/05 12:0 a.m.•6 views

Important: tomcat

Issue Overview: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to...

6.5CVSS6.9AI score0.75353EPSS

Exploits4

Positive Technologies•added 2024/01/17 12:0 a.m.•3 views

PT-2024-1633 · Apache · Apache Brpc

Name of the Vulnerable Software and Affected Versions: Apache bRPC versions 0.9.5 through 1.7.0 Description: The issue arises from the http parser not complying with the RFC-7230 HTTP 1.1 specification, specifically when handling messages with both Transfer-Encoding and Content-Length header...

7.8CVSS7.4AI score0.01637EPSS

Exploits0References14

Veracode•added 2024/01/09 7:22 a.m.•28 views

HTTP Request Smuggling

puma is vulnerable to HTTP Request Smuggling. The vulnerability is caused due to a missing validation while parsing chunked transfer encoding bodies, resulting in the smuggling of requests and unbounded resource consumption DoS...

7.5CVSS6.8AI score0.00958EPSS

Exploits0References4Affected Software1

Github Security Blog•added 2024/01/08 3:56 p.m.•67 views

Puma HTTP Request/Response Smuggling vulnerability

Impact Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies. Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource CPU, network bandwidth consumption. Patches The vulnerabilit...

7.5CVSS5.7AI score0.00958EPSS

Exploits0References8Affected Software1

UbuntuCve•added 2024/01/08 2:15 p.m.•36 views

CVE-2024-21647

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an...

7.5CVSS6.6AI score0.00958EPSS

Exploits0References4

OSV•added 2024/01/08 1:45 p.m.•35 views

CVE-2024-21647 HTTP Request/Response Smuggling in puma

5.9CVSS6AI score0.00958EPSS

Exploits0References5