CVE-2020-11077 HTTP Smuggling via Transfer-Encoding Header in Puma

In Puma RubyGem before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the firs...

HTTP Smuggling via Transfer-Encoding Header in Puma

Impact By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response. Patches The problem has been fixed in Puma 3.12.5 and Puma 4.3.4...

HTTP Smuggling via Transfer-Encoding Header in Puma

Impact This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via...

CVE-2020-7655

netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks...

Design/Logic Flaw

netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks...

CVE-2020-7655

netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

MGASA-2020-0138 Updated tomcat packages fix security vulnerabilities

The updated packages fix security vulnerabilities: The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility ...

FreeBSD : Node.js -- multiple vulnerabilities (0032400f-624f-11ea-b495-000d3ab229d6)

Node.js reports : Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605 Affected Node.j...

Important: Red Hat Security Advisory: http-parser security update

An update for http-parser is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2020:0454-1)

This update for nodejs8 fixes the following issues : Security issues fixed : CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string CVE-2019-15604, bsc1163104. CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

CVE-2020-1935

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line EOL parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the...

GHSA-P2V9-G2QV-P635 HTTP Request Smuggling in Netty

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header...

HTTP Request Smuggling

Node is vulnerable to HTTP request smuggling. Failure to validate malformed HTTP requests allows an attacker to smuggle HTTP requests using malicious Transfer-Encoding header...

HTTP Request Smuggling

Overview apple/swift-nio is an event-driven network application framework for high performance protocol servers & clients, non-blocking. Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP request smuggling is possible using malformed Transfer-Encoding header...

HTTP Request Smuggling

Overview SwiftNIOHTTP1 is a cross-platform asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP request smuggling is possible usin...