CentOS 7 : libvncserver (RHSA-2020:3281)

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3281 advisory. - It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this ...

Ubuntu 16.04 LTS : Tomcat vulnerabilities (USN-4448-1)

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4448-1 advisory. It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. A remote attacker could possibly use this issue to cause...

tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to...

tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to...

Important: Red Hat Security Advisory: Red Hat JBoss Web Server 5.3.2 security update

Updated Red Hat JBoss Web Server 5.3.2 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System CVSS base...

tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to...

tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to...

Denial Of Service (DoS)

libvncserver is vulnerable to denial of service DoS. The vulnerability exists through a websocket decoding buffer overflow...

RHEL 6 / 7 : Red Hat JBoss Web Server 3.1 Service Pack 10 (RHSA-2020:3303)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3303 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the...

CVE-2020-16271

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection...

CVE-2020-16272

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection...

CVE-2020-16271

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection...

Input validation

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection...

Design/Logic Flaw

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection...

CVE-2020-16271

Kee Vault KeePassRPC (SRP-6a) before version 1.12.0 uses a weak random-number generator, enabling remote attackers to read and modify KeePass data over WebSocket. Affected component: SRP-6a implementation; impact is data confidentiality and integrity. Remediation: upgrade to KeePassRPC 1.12.0 or ...

CVE-2020-16272

The CVE-2020-16272 entry concerns Kee Vault KeePassRPC prior to 1.12.0. The SRP-6a implementation lacks validation of a client-provided parameter, enabling remote attackers over a WebSocket (A=0) connection to read and modify data in the KeePass database. Multiple sources (NVD entry, Red Hat advi...

CVE-2020-16272

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection...

libvncserver: websocket decoding buffer overflow

A flaw was found in libvncserver. A heap-based buffer overflow within the websocket decoding functionality is possible, which can lead to exploitation by a malicious attacker to overwrite a function pointer. The highest threat from this vulnerability is to data confidentiality and integrity as we...

Improper SSL Certificate Verification

faye is vulnerable to improper SSL certificate validation. The vulnerability exists as it does not implement certificate verification by default, allowing any hostname in the wss: connection made by the Faye::WebSocket::Client to be made unvalidated...

Improper SSL Certificate Verification

faye-websocket is vulnerable to improper SSL certificate validation. The vulnerability exists as it does not implement certificate verification by default, allowing any hostname in the wss: connection made by the Faye::WebSocket::Client to be made unvalidated...