Lucene search
K

192 matches found

Github Security Blog
Github Security Blog
added 2023/02/01 6:48 p.m.34 views

Symfony storing cookie headers in HttpCache

Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses including headers and returns them to clients. In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this...

8.8CVSS6.7AI score0.00753EPSS
Exploits0References8Affected Software2
Friends Of PHP
Friends Of PHP
added 2023/02/01 8:0 a.m.30 views

CVE-2022-24894: Prevent storing cookie headers in HttpCache

More info at https://symfony.com/cve-2022-24894...

8.8CVSS7.2AI score0.00753EPSS
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2022/08/25 11:40 a.m.31 views

CVE-2022-31151

A flaw was found in the undici package. After cookie headers are set, they are not cleared. This issue could allow an attacker to take advantage of this cookie, which could be used to control the redirection target. Mitigation By default, this vulnerability is not exploitable. In order to make su...

3.7CVSS3.3AI score0.00584EPSS
Exploits1References5
NVD
NVD
added 2022/07/21 4:15 a.m.32 views

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

6.5CVSS0.00584EPSS
Exploits1References4
OSV
OSV
added 2022/07/21 4:15 a.m.5 views

DEBIAN-CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

6.5CVSS5.9AI score0.00584EPSS
Exploits1References1
OSV
OSV
added 2022/07/21 4:15 a.m.3 views

UBUNTU-CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

6.5CVSS6.5AI score0.00584EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2022/07/21 12:0 a.m.10 views

PT-2022-7066 · Undici +7 · Undici +7

Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.26.2 Description: The issue is related to the handling of headers in the Undici HTTP/1.1 client for Node.js. Specifically, prior to version 5.26.2, Undici cleared Authorization headers on cross-origin redirects but...

9.8CVSS6.4AI score0.99999EPSS
Exploits23References178
CVE
CVE
added 2022/07/20 11:0 p.m.218 views

CVE-2022-31151

CVE-2022-31151 affects the Node.js undici HTTP client. The issue is that during cross-origin redirects, authorization headers are cleared but cookie headers are not, potentially leaking cookies to a third party if an attacker controls the redirect target. The problem was patched in undici v5.7.1,...

6.5CVSS5.1AI score0.00584EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2022/07/20 11:0 p.m.37 views

CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

3.7CVSS6.7AI score0.00584EPSS
Exploits1References4
OSV
OSV
added 2022/07/20 11:0 p.m.10 views

CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

3.7CVSS5.6AI score0.00584EPSS
Exploits1References6
Debian CVE
Debian CVE
added 2022/07/20 11:0 p.m.35 views

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...

6.5CVSS5AI score0.00584EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2022/07/20 12:0 a.m.2 views

PT-2022-20566 · Undici · Undici

Name of the Vulnerable Software and Affected Versions: undici versions prior to 5.7.1 Description: The issue arises when authorization headers are cleared on cross-origin redirects, but cookie headers remain uncleared. This may lead to accidental leakage of cookies to a 3rd-party site or a...

6.5CVSS5.7AI score0.01223EPSS
Exploits1References30
Microsoft CVE
Microsoft CVE
added 2022/07/19 7:0 a.m.6 views

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this or other servers to which the cookies match create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept match and haven't expired. Due to cookie matching rules a server on `foo.example.com` can set cookies that also would match for `bar.example.com` making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

...

4.3CVSS7.2AI score0.26915EPSS
Exploits1
OSV
OSV
added 2022/07/08 11:3 a.m.4 views

OESA-2022-1744 curl security update

Security Fixes: A vulnerability was found in curl. This issue occurs because it mishandles message verification failures when curl does FTP transfers secured by krb5. This flaw makes it possible for a Man-in-the-middle attack to go unnoticed and allows data injection into the client.CVE-2022-3220...

9.8CVSS6.6AI score0.3197EPSS
Exploits4References5
NVD
NVD
added 2022/07/07 1:15 p.m.23 views

CVE-2022-32205

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl 7.84.0 stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger th...

4.3CVSS0.26915EPSS
Exploits1References9
OSV
OSV
added 2022/07/07 1:15 p.m.4 views

ALPINE-CVE-2022-32205

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl 7.84.0 stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger th...

4.3CVSS6.7AI score0.26915EPSS
Exploits1References1
Cvelist
Cvelist
added 2022/07/07 12:0 a.m.25 views

CVE-2022-32205

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl 7.84.0 stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger th...

6.8AI score0.26915EPSS
Exploits1References9
RedhatCVE
RedhatCVE
added 2022/06/28 3:35 a.m.42 views

CVE-2022-32205

A vulnerability was found in curl. This issue occurs because a malicious server can serve excessive amounts of Set-Cookie: headers in an HTTP response to curl, which stores all of them. This flaw leads to a denial of service, either by mistake or by a malicious actor...

5.9CVSS1.8AI score0.26915EPSS
Exploits1References4
OSV
OSV
added 2022/06/27 8:0 a.m.7 views

CURL-CVE-2022-32205 Set-Cookie denial of service

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...

4.3CVSS6.6AI score0.26915EPSS
Exploits1
curl security advisories
curl security advisories
added 2022/06/27 8:0 a.m.9 views

Set-Cookie denial of service

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...

4.3CVSS6.8AI score0.26915EPSS
Exploits1References1Affected Software2
Rows per page
Query Builder