468 matches found
golang: go/parser: stack exhaustion in all Parse* functions
A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability...
golang: encoding/xml: stack exhaustion in Decoder.Skip
A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability...
PT-2022-20224 · Go +9 · Go +9
Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.17.12 Go versions prior to 1.18.4 Description: The issue is related to uncontrolled recursion in the Decoder.Decode function in the encoding/gob package. This allows an attacker to cause a panic due to stack exhaustion ...
Stack overflow in rustc_serialize when parsing deeply nested JSON
When parsing JSON using json::Json::fromstr, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process. Example code that triggers the vulnerability is rust fn main let = rustcserialize::json::Json::fromstr&"0,".repeat10000;...
Mozilla: Bypassing permission prompt in nested browsing contexts
The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...
Authentication Bypass
firefox is vulnerable to authentication bypass. An attacker with the document in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...
Mozilla: Bypassing permission prompt in nested browsing contexts
The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...
Mozilla: Bypassing permission prompt in nested browsing contexts
The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...
CVE-2022-24921
regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression...
Stack overflow in rustc_serialize when parsing deeply nested JSON
When parsing JSON using json::Json::fromstr, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process. Example code that triggers the vulnerability is rust fn main let = rustcserialize::json::Json::fromstr&"0,".repeat10000;...
DEBIAN-CVE-2021-42717
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...
CVE-2021-42697
Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments...
CentOS 8 : dovecot (CESA-2020:3713)
The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3713 advisory. - dovecot: Resource exhaustion via deeply nested MIME parts CVE-2020-12100 - dovecot: Out of bound reads in dovecot NTLM implementation CVE-2020-12673 ...
Prototype Pollution in babak-gholamzadeh/deeply-object-assign
Description deeply-object-assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var deeplyObjectAssign = require"deeply-object-assign" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " +...
Important: Red Hat Security Advisory: dovecot security update
An update for dovecot is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
CentOS 7 : dovecot (RHSA-2020:3617)
The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3617 advisory. - In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service resource...
RHEL 7 : dovecot (RHSA-2020:3617)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3617 advisory. Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3...
@amishurinskiy/router (=1.0.0), @bluedrop_dev/configly (=4.0.2) +36 more potentially affected by CVE-2019-10750 via deeply (>=0.1.0 <=3.0.0)
deeply NPM version =0.1.0, =1.0.0, =1.1.1, =1.0.0, =0.2.1, =3.0.0, =1.0.0, =1.0.0, =2.0.0 - fabspa-js =0.5.0 and more Source cves: CVE-2019-10750 Source advisory: OSV:GHSA-8J4W-5FW4-RM27...
GHSA-8J4W-5FW4-RM27 Prototype Pollution in deeply
Versions of deeply prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. Recommendation Upgrade t...
Prototype Pollution in deeply
Versions of deeply prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. Recommendation Upgrade t...