K000140581: Apache mod_proxy vulnerability CVE-2024-36387

Security Advisory Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. CVE-2024-36387 Impact There is no impact; F5 products are not affected by this vulnerability...

CVE-2024-41889

Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker...

CVE-2024-41889

Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker...

Pimax Play and PiTool accept WebSocket connections from unintended endpoints

Overview Pimax Play and PiTool provided by Pimax accept WebSocket connections from unintended endpoints CWE-923. Rei Yano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Arbitrary code may be executed by a...

CVE-2024-41889

Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker...

CVE-2024-41889

Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker...

CVE-2024-41889

CVE-2024-41889 affects Pimax Play and PiTool. The issue: WebSocket connections accepted from unintended endpoints, enabling a remote unauthenticated attacker to execute arbitrary code. Affected software includes Pimax Play (prior to version 1.21.01) and PiTool (all versions; no longer supported)....

JVN#50850706: Pimax Play and PiTool accept WebSocket connections from unintended endpoints

Pimax Play and PiTool provided by Pimax accept WebSocket connections from unintended endpointsCWE-923. Impact Arbitrary code may be executed by a remote unauthenticated attacker. Solution Update the Software For Pimax Play, update the software to the latest version according to the information...

Pimax Play 安全漏洞

Pimax Play is a virtual reality driver from the Chinese company Xiaopai Pimax. A security vulnerability exists in Pimax Play versions prior to V1.21.01, which stems from accepting a WebSocket connection from an unintended endpoint, where an unauthenticated, remote attacker may be able to execute...

PT-2024-5835 · Pimax · Pimax

Name of the Vulnerable Software and Affected Versions: Pimax products affected versions not specified Description: The issue concerns the implementation of the WebSocket protocol in Pimax applications for launching and managing Pimax Play games and PiTool software for configuring and calibrating ...

CVE-2023-40025

A flaw was found in Argo CD. Affected versions of Argo CD have a bug where open web terminal sessions do not expire. This bug allows users to send WebSocket messages even if the token has expired. The most straightforward scenario occurs when a user opens the terminal view and leaves it open for ...

Information Disclosure

github.com/argoproj/argo-cd is vulnerable to Information Disclosure. The vulnerability is due to improper enforcement of permission revocation for open terminal sessions within websocket.go, which allows continued unauthorized access and the potential leakage of sensitive information even after...

CBL Mariner 2.0 Security Update: httpd (CVE-2024-36387)

The version of httpd installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-36387 advisory. - Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference,...

OESA-2024-1847 mod_http2 security update

Modhttp2 is an official Apache httpd module, first released in 2.4.17. See Apache downloads to get a released version. modproxyhttp2 has been released in 2.4.23. Security Fixes: Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a...

CVE-2024-36387

...

CBL Mariner 2.0 Security Update: reaper (CVE-2024-37890)

The version of reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-37890 advisory. - ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding...

Denial of service when handling a request with many HTTP headers in ws

...

OPENSUSE-SU-2024:14180-1 ruby3.3-rubygem-websocket-extensions-0.1.5-1.20 on GA media

These are all security issues fixed in the ruby3.3-rubygem-websocket-extensions-0.1.5-1.20 package on the GA media of openSUSE Tumbleweed...

The vulnerability of the WebSocket protocol in the Apache HTTP Server web server allows a attacker to induce a service failure.

The vulnerability of the WebSocket protocol in the Apache HTTP Server is related to the assignment of a null pointer. Exploiting this vulnerability could allow a malicious actor to cause a service failure...

USN-6885-2: Apache HTTP Server regression

USN-6885-1 fixed vulnerabilities in Apache HTTP Server. One of the security fixes introduced a regression when proxying requests to a HTTP/2 server. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Marc Stern discovered that the Apache HTTP Server...