CVE-2021-21419

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to...

PT-2021-3910 · Eventlet +3 · Eventlet +3

Name of the Vulnerable Software and Affected Versions: Eventlet versions prior to 0.31.0 Description: The issue is related to the handling of large websocket frames in the Eventlet library, which can lead to memory exhaustion. A malicious peer can exploit this by sending highly compressed data...

Eventlet 资源管理错误漏洞

Eventlet is a concurrent networking library for Python. A resource management error vulnerability exists in Eventlet versions prior to 0.31.0, which stems from the possibility that a websocket peer may exhaust memory on the Eventlet side by sending very large websocket frames...

jetty: Resource exhaustion when receiving an invalid large TLS frame

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large greater than 17408 TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability...

F5 Networks BIG-IP : BIG-IP ASM and Advanced WAF WebSocket vulnerability (K18570111)

The version of F5 Networks BIG-IP installed on the remote host is prior to 12.1.5.3 / 13.1.3.5 / 14.1.3.1 / 15.1.2 / 16.0.1.1 / 16.1.0. It is, therefore, affected by a vulnerability as referenced in the K18570111 advisory. - On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before...

SUSE: Security Advisory (SUSE-SU-2020:2611-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2018:2699-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GO-2020-0019 Integer overflow in github.com/gorilla/websocket

An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector...

GHSA-C9G6-9335-X697 Improper Input Validation in SocksJS-Node

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20...

Gotestwaf - Go Test WAF Is A Tool To Test Your WAF Detection Capabilities Against Different Types Of Attacks And By-Pass Techniques

An open-source Go project to test different web application firewalls WAF for detection logic and bypasses. How it works It is a 3-steps requests generation process that multiply amount of payloads to encoders and placeholders. Let's say you defined 2 payloads, 3 encoders Base64, JSON, and...

GHSA-26VR-8J45-3R4W Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources

Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large greater than 17408 TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. Workarounds The problem can be worked around by compiling the...

CVE-2021-28165

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large greater than 17408 TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability...

golang-github-gorilla-websocket: integer overflow leads to denial of service

An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker could use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections...

Cisco IOS XE Software Web UI Cross Site WebSocket Hijacking (cisco-sa-iosxe-cswsh-FKk9AzT5)

According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability. Please see the included Cisco BIDs and Cisco Security Advisory for more information. TRUSTED...

RHEL 7 : OpenShift Container Platform 3.11.404 (RHSA-2021:0833)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2021:0833 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud...

CVE-2021-1403

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking CSWSH attack and cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient HTTP protections in...

Cross site scripting

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking CSWSH attack and cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient HTTP protections in...

CVE-2021-1403 Cisco IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking CSWSH attack and cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient HTTP protections in...

Cisco IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking CSWSH attack and cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient HTTP protections in...

Cisco IOS XE 数据伪造问题漏洞

Cisco IOS XE Software is an operating system from Cisco, Inc. A single operating system for enterprise wired and wireless access, aggregation, core, and WAN, Cisco IOS XE reduces business and network complexity. Cisco IOS XE Software suffers from a Data Forgery Issue vulnerability that stems from...