5 matches found
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the Server.prototype.addContext method of lib/internal/tls/wrap.js, which builds the server name matching regular expression without the case-insensitive flag. An attacker can evade the TLS conte...
python-urllib3: HTTPS proxy host name not validated when using default SSLContext
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for different...
JAX-RS: Information disclosure via XML eXternal Entity (XXE)
It was found that the default context parameters as provided to RESTEasy deployments by JBoss EAP did not explicitly disable external entity expansion for RESTEasy. A remote attacker could use this flaw to perform XML External Entity XXE attacks on RESTEasy applications accepting XML input...
Security: Wrong security context loaded when using SAML2 STS Login Module
It was found that when processing undefined security domains, the org.jboss.security.plugins.mapping.JBossMappingManager implementation would fall back to the default security domain if it was available. A user with valid credentials in the defined default domain, with a role that is valid in the...
JAX-RS: Information disclosure via XML eXternal Entity (XXE)
It was found that the default context parameters as provided to RESTEasy deployments by JBoss EAP did not explicitly disable external entity expansion for RESTEasy. A remote attacker could use this flaw to perform XML External Entity XXE attacks on RESTEasy applications accepting XML input...