EulerOS 2.0 SP8 : haproxy (EulerOS-SA-2020-1805)

According to the versions of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return CR, ASCII 0xd, line feed LF, ASCII 0xa...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

HaProxy HTTP Request Smuggling (CVE-2019-18277)

An Improper Input Validation exists in HaProxy. Messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. Successful exploitation could result in HTTP request smuggling vulnerability...

Improper Input Validation

Overview workerman/workerman is an asynchronous event driven PHP framework for easily building fast, scalable network applications. Affected versions of this package are vulnerable to Improper Input Validation. HTTP requests processed by workerman does not have adequate validation and as such,...

Security Bulletin: [All] Apache Tomcat (core only) (Publicly disclosed vulnerability) CVE-2020-1935, CVE-2019-17569

Summary In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a...

Security update for rubygem-puma (moderate)

openSUSE Security Update: Security update for rubygem-puma Announcement ID: openSUSE-SU-2020:1001-1 Rating: moderate References: 1172175 1172176 Cross-References: CVE-2020-11076 CVE-2020-11077 Affected Products: openSUSE Leap 15.2 An update that fixes two vulnerabilities is now...

Security update for rubygem-puma (moderate)

openSUSE Security Update: Security update for rubygem-puma Announcement ID: openSUSE-SU-2020:0990-1 Rating: moderate References: 1172175 1172176 Cross-References: CVE-2020-11076 CVE-2020-11077 Affected Products: openSUSE Leap 15.1 An update that fixes two vulnerabilities is now...

HTTP Request Smuggling

Overview tinyhttp is a Low level HTTP server library Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling...

HTTP Request Smuggling

Amendment This was deemed not a vulnerability. Overview tiny-http is a Low level HTTP server library Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing...

HTTP Request smuggling through malformed Transfer Encoding headers

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...

RUSTSEC-2020-0031 HTTP Request smuggling through malformed Transfer Encoding headers

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...

HTTP Request Smuggling

agoo is vulnerable to HTTP request smuggling. When used as a backend and frontend proxy, an attacker is able to leverage TE:CL smuggling attacks by sending a content-length header twice or an invalid Transfer Encoding headers...

Unspecified vulnerability in goliath

goliath is an asynchronous framework for writing API servers. A security vulnerability exists in goliath 1.0.6 and earlier versions. An attacker could exploit the vulnerability by sending the Content-Length header twice to conduct an HTTP request smuggling attack. Additionally, it was found that...

CVE-2020-7670

agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct...

CVE-2020-7671

goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to b...