Lucene search
K

80 matches found

RedHat Linux
RedHat Linux
added 2021/08/10 7:52 a.m.4 views

golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity...

5.3CVSS7.2AI score0.02279EPSS
Exploits1References5
Prion
Prion
added 2021/08/02 7:15 p.m.21 views

Design/Logic Flaw

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from net/http/httputil result in a situation where an attacker is able to drop arbitrary headers...

4.3CVSS6.2AI score0.02279EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2021/08/02 7:15 p.m.1 views

UBUNTU-CVE-2021-33197

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from net/http/httputil result in a situation where an attacker is able to drop arbitrary headers...

5.3CVSS6.8AI score0.02279EPSS
Exploits1References4
Debian CVE
Debian CVE
added 2021/08/02 6:54 p.m.37 views

CVE-2021-33197

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from net/http/httputil result in a situation where an attacker is able to drop arbitrary headers...

5.3CVSS6.6AI score0.02279EPSS
Exploits1
CNVD
CNVD
added 2021/06/30 12:0 a.m.34 views

Google Golang has an unspecified vulnerability (CNVD-2022-02629)

Google Golang is a statically strongly typed, compiled language from Google, Inc. A security vulnerability exists in Google Golang, which can be exploited by attackers to cause arbitrary headers to be dropped...

5.3CVSS3.1AI score0.02279EPSS
Exploits1References1
CNNVD
CNNVD
added 2021/06/28 12:0 a.m.7 views

Google Golang 安全漏洞

Google Golang is a statically strongly typed, compiled language from Google, Inc. A security vulnerability exists in Google Golang, which can be exploited by attackers to cause arbitrary headers to be dropped...

5.3CVSS5.9AI score0.02279EPSS
Exploits1References63
Veracode
Veracode
added 2021/01/07 4:32 p.m.22 views

Session Fixation

firefox is vulnerable to session fixation. Firefox for Android allows a malicious application to broadcast a user's Intent with arbitrary headers, allowing attacks such as session fixation...

6.5CVSS4.1AI score0.00858EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2021/01/07 2:15 p.m.13 views

CVE-2020-26975

When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. Note: This...

6.5CVSS6AI score0.00858EPSS
Exploits0References2
Prion
Prion
added 2021/01/07 2:15 p.m.20 views

Session fixation

When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. Note: This...

4.3CVSS6.1AI score0.00858EPSS
Exploits0References2Affected Software1
AlpineLinux
AlpineLinux
added 2021/01/07 1:52 p.m.38 views

CVE-2020-26975

When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. Note: This...

6.5CVSS7.5AI score0.00858EPSS
Exploits0
Debian CVE
Debian CVE
added 2021/01/07 1:52 p.m.25 views

CVE-2020-26975

When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. Note: This...

6.5CVSS8.3AI score0.00858EPSS
Exploits0
CNNVD
CNNVD
added 2020/12/15 12:0 a.m.7 views

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in previous versions of Mozilla Firefox 84. When a malicious application installed on a user's device broadcasts intent to Firefox for Android, it can specify arbitrary...

6.5CVSS7.1AI score0.00858EPSS
Exploits0References6
Cvelist
Cvelist
added 2020/09/23 12:25 a.m.25 views

CVE-2020-3117 Cisco Web Security Appliance and Cisco Content Security Management Appliance HTTP Header Injection Vulnerability

A vulnerability in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance WSA and Cisco Content Security Management Appliance SMA could allow an unauthenticated, remote attacker to inject crafted HTTP headers in the web server's response. The vulnerability is due to insufficient...

4.7CVSS4.7AI score0.00929EPSS
Exploits0References1
CNVD
CNVD
added 2020/07/28 12:0 a.m.3 views

Encode OSS Uvicorn Injection Vulnerability

Encode OSS Uvicorn is a British Encode OSS company based on uvloop and httptools build ASGI Web Server Gateway Interface server. An injection vulnerability exists in Encode OSS Uvicorn versions prior to 0.11.7, which stems from the program's failure to escape CRLF sequences in HTTP headers, and c...

5.3CVSS7.4AI score0.0131EPSS
Exploits1References1
OSV
OSV
added 2020/07/27 12:15 p.m.4 views

UBUNTU-CVE-2020-7695

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers...

5.3CVSS6.2AI score0.0131EPSS
Exploits1References4
UbuntuCve
UbuntuCve
added 2020/07/27 12:15 p.m.24 views

CVE-2020-7695

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers...

5.3CVSS6.2AI score0.0131EPSS
Exploits1References3
CNVD
CNVD
added 2020/05/07 12:0 a.m.3 views

Apache OFBiz Injection Vulnerability

Apache OFBiz is the United States Apache Apache Software Foundation of a set of enterprise resource planning ERP system. The system provides a set of Java-based Web application components and tools. An injection vulnerability exists in Apache OFBiz version 17.12.01. An attacker can exploit this...

7.5CVSS7.4AI score0.04665EPSS
Exploits0References1
Hacker One
Hacker One
added 2020/04/24 1:24 p.m.113 views

Starbucks: CRLF injection on www.starbucks.com

The vulnerability allows setting arbitrary headers, and also enables response splitting which can then be exploited further. POC: curl -i 'https://www.starbucks.com/email-prospecttg9wh%0d%0aset-cookie:foo%0d%0a%0d%0a4t6uf?requesturl=/responsibility/global-report/policies' -d...

3.7AI score
Exploits0
Cisco
Cisco
added 2020/01/22 4:0 p.m.22 views

Cisco Web Security Appliance and Cisco Content Security Management Appliance HTTP Header Injection Vulnerability

A vulnerability in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance WSA and Cisco Content Security Management Appliance SMA could allow an unauthenticated, remote attacker to inject crafted HTTP headers in the web server's response. The vulnerability is due to insufficient...

4.7CVSS2.6AI score0.00929EPSS
Exploits0References1
Prion
Prion
added 2019/12/06 7:15 p.m.20 views

Cross site scripting

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in...

5CVSS6.3AI score0.00982EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder