4 matches found
Fedora 38 : php-laminas-diactoros2 (2023-8cf8786a16)
The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-8cf8786a16 advisory. Version 2.25.2 This release provides a patch for CVE-2023-29530 / GHSA-xv3h-4844-9h36 / LP2023-01. Tenable has extracted the preceding description block...
CVE-2023-29530 Laminas Diactoros vulnerable to HTTP Multiline Header Termination
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value...
CVE-2023-29530
Laminas Diactoros HTTP message implementations are affected in versions up to 2.25.0 by an issue where a leading/trailing newline in a header key or value can produce an invalid HTTP message, potentially enabling DoS or application errors. Patches are available in 2.18.1, 2.19.1, 2.20.1, 2.21.1, ...
GHSA-Q2QJ-628G-VHFW Insecure header validation in slim/psr7
Impact An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An attacker that is able to control the header names that are passed to Slilm-Ps...