Lucene search
+L

55 matches found

Apache Tomcat
Apache Tomcat
added 2021/02/02 12:0 a.m.59 views

Fixed in Apache Tomcat 10.0.2

Note: The issues below were fixed in Apache Tomcat 10.0.1 but the release vote for the 10.0.1 release candidate did not pass. Therefore, although users must download 10.0.2 to obtain a version that includes a fix for these issues, version 10.0.1 is not included in the list of affected versions...

7CVSS7.2AI score0.56636EPSS
Exploits16Affected Software1
Apache Tomcat
Apache Tomcat
added 2021/02/02 12:0 a.m.76 views

Fixed in Apache Tomcat 8.5.63

Note: The issues below were fixed in Apache Tomcat 8.5.62 but the release vote for the 8.5.62 release candidate did not pass. Therefore, although users must download 8.5.63 to obtain a version that includes a fix for these issues, version 8.5.62 is not included in the list of affected versions...

7.5CVSS7.2AI score0.56636EPSS
Exploits16Affected Software1
Kitploit
Kitploit
added 2020/09/30 8:30 p.m.109 views

H2Csmuggler - HTTP Request Smuggling Over HTTP/2 Cleartext (H2C)

h2cSmuggler smuggles HTTP traffic past insecure edge-server proxypass configurations by establishing HTTP/2 cleartext h2c communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls. See my detailed write-up below for: Technical breakdown of the...

7.4AI score
Exploits0References6
pentestit
pentestit
added 2020/09/16 12:37 a.m.52 views

UPDATE: Merlin v0.9.0

Merlin v0.9.0 was released a couple of days ago. This release adds support for HTTP and h2c protocols. As we know, the h2c protocol is the non-TLS version of HTTP/2. This release also adds new "Listeners" menu to create and manage multiple listeners. You can now configure agent/listeners to liste...

0.6AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2020/07/30 12:0 a.m.49 views

Amazon Linux AMI : tomcat8 (ALAS-2020-1409)

The version of tomcat8 installed on the remote host is prior to 8.5.57-1.85. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1409 advisory. The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 t...

7.5CVSS7AI score0.87553EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2020/07/17 12:0 a.m.229 views

Apache Tomcat 9.0.0.M1 < 9.0.37 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 9.0.37. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat9.0.37security-9 advisory. - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to...

7.5CVSS7AI score0.87553EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2020/07/15 6:8 a.m.25 views

CVE-2020-13934

A flaw was found in Apache Tomcat, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests are made, an OutOfMemoryException could occur, leading to a denial of service. The highest threat from this vulnerability i...

5CVSS7.2AI score0.64124EPSS
Exploits0References8
NVD
NVD
added 2020/07/14 3:15 p.m.21 views

CVE-2020-13934

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service...

7.5CVSS0.64124EPSS
Exploits0References13
Prion
Prion
added 2020/07/14 3:15 p.m.29 views

Design/Logic Flaw

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service...

5CVSS7.2AI score0.64124EPSS
Exploits0References13Affected Software14
Debian CVE
Debian CVE
added 2020/07/14 2:59 p.m.34 views

CVE-2020-13934

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service...

7.5CVSS8.7AI score0.64124EPSS
Exploits0
CVE
CVE
added 2020/07/14 2:59 p.m.629 views

CVE-2020-13934

CVE-2020-13934 affects multiple Apache Tomcat releases (8.5.1–8.5.56, 9.0.x, 10.0.x up to M6) where an h2c direct connection didn’t release the HTTP/1.1 processor after upgrading to HTTP/2, potentially causing OutOfMemoryError and denial of service. Public advisories across vendors and distributi...

7.5CVSS7.3AI score0.64124EPSS
Exploits0References13Affected Software1
Kaspersky
Kaspersky
added 2020/07/05 12:0 a.m.60 views

KLA12083 DoS vulnerabilities in Apache Tomcat

DoS vulnerabilities were found in Apache Tomcat. Malicious users can exploit these vulnerabilities to cause denial of service. Below is a complete list of vulnerabilities: 1. DoS vulnerability in h2c direct connection can be exploited to cause denial of service. 2. DoS vulnerability in WebSocket...

7.5CVSS7AI score0.87553EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2020/02/02 8:47 a.m.40 views

CVE-2019-10081

A vulnerability was found in Apache httpd, in modhttp2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash. Mitigation This flaw is only exploitable if Apache httpd is configured to respond to HTTP/2 requests, which is done by including "h2...

7.5CVSS8.2AI score0.14563EPSS
Exploits1References4
Kitploit
Kitploit
added 2019/05/26 10:2 p.m.194 views

H2Buster - A Threaded, Recursive, Web Directory Brute-Force Scanner Over HTTP/2

A threaded, recursive, web directory brute-force scanner over HTTP/2 using hyper, inspired by Gobuster. Features Fast and portable - install hyper and run. Multiconnection scanning. Multithreaded connections. Scalable: scans can be as docile or aggressive as you configure them to be. h2 and h2c...

7.3AI score
Exploits0References3
OpenVAS
OpenVAS
added 2016/12/06 12:0 a.m.43 views

Apache HTTP Server 'mod_http2' Denial of Service Vulnerability - Linux

Apache HTTP Server is prone to a denial of service vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

7.5CVSS7.5AI score0.7907EPSS
Exploits4References3
Rows per page
Query Builder