Medium: golang

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

Aircompressor 安全漏洞

Aircompressor is an airlift open source library that ports the Snappy, LZO, LZ4 and Zstandard compression algorithms to Java. Aircompressor versions prior to 0.27 have a security vulnerability that stems from a decompressor that may crash the JVM and leak memory contents...

ROS-20240529-01

Vulnerability in the Lightweight HTTP Server component of the Oracle Java SE software platform and virtual machine Oracle GraalVM Enterprise Edition is related to unrestricted resource allocation. Exploitation exploitation of the vulnerability could allow a remote attacker to cause a denial of...

Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique

The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service DDoS attacks. "CatDDoS-related gangs' samples...

Fedora: Security Advisory for rust-rpick (FEDORA-2024-ce2936b568)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

vantage6-algorithm-store (>=4.3.0 <=4.15.1rc1), vantage6-node (>=0.0.0 <=4.15.1rc1) +1 more potentially affected by CVE-2024-32969 via vantage6 (>=0.0.0 <=4.5.0)

vantage6 PYPI version =0.0.0, =4.3.0, =0.0.0, =0.0.0, =4.15.1rc1 Source cves: CVE-2024-32969 Source advisory: OSV:GHSA-99R4-CJP4-3HMX...

golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm

A flaw was found in Go's crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to...

Use Of A Broken Or Risky Cryptographic Algorithm

asymmetricrypt/asymmetricrypt is vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The vulnerability is due to insecure padding within PKCS v1.5, which allows an attacker to brute force the encrypted content...

Vulnerabilities in BIG-IP Next Central Manager allows control of managed devices

Introduction In May 2024, new vulnerabilities have been identified in BIG-IP Next Central Manager, raising considerable security concerns. This discovery follows closely on the heels of a critical vulnerability revealed in April within Palo Alto's firewalls with enabled GlobalProtect feature, whi...

CVE-2024-35970

The CVE-2024-35970 issue affects the Linux kernel AF_UNIX socket path. The root cause is improper handling of OOB data: when an OOB skb is dequeued, unix_sock(sk)-&gt;oob_skb is not cleared, causing incorrect uAPI state and potential deadlocks. Repro shows a socketpair exchange where MSG_OOB is u...

nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values

Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure...

GHSA-R2R8-36PQ-27CM nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values

Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure...

GHSA-HXHC-WMG8-XRQF namshi/jose insecure JSON Web Signatures (JWS)

namshi/jose allows the acceptance of unsecure JSON Web Signatures JWS by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security ri...

Weak Encryption

fuel/core is vulnerable to Weak Encryption. The vulnerability is due to the usage of the Crypt encryption algorithm, which potentially allows an attacker with sufficient knowledge, code, and GPU calculation power to break and potentially compromise the security of encrypted data...

Authentication Bypass

firebase/php-jwt is vulnerable to Authentication Bypass. The vulnerability is due to missing algorithm checks when calling the decode method allowing attackers bypass verification when using asymmetric keys RS256, RS384, RS512, ES256, ES384, ES512 when there is no algorithm specified within the...

AZL-47684 CVE-2024-4603 affecting package hvloader for versions less than 1.0.1-6

Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked...

DEBIAN-CVE-2024-4603

Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked...

AZL-42766 CVE-2024-4603 affecting package cloud-hypervisor-cvm for versions less than 38.0.72.2-1

Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVPPKEYparamcheck or EVPPKEYpubliccheck to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked...

OpenSSL 安全漏洞

OpenSSL is an open source general-purpose cryptographic library capable of implementing the Secure Sockets Layer SSLv2/v3 and Secure Transport Layer TLSv1 protocols from the OpenSSL team. It supports a wide range of cryptographic algorithms, including symmetric ciphers, hashing algorithms, secure...

PHP Censor uses a weak hashing algorithm for the remember me key

php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its rememberkey value. This allows attackers to bruteforce to bruteforce the rememberkey value to gain access to accounts that have checked "remember me" when logging in...