91 matches found
Node.js: HTTP Request Smuggling via Empty headers separated by CR
HTTP Request Smuggling HRS was possible in Node.js v20.2.0 due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. The CR character without LF was sufficient to delimit HTTP header fields in the llhttp parser, which is not compliant with RFC7230...
OESA-2023-1237 golang security update
The Go Programming Language. Security Fixes: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can...
haproxy: request smuggling attack in HTTP/1 header parsing
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypa...
AZL-79062 CVE-2023-24536 affecting package golang 1.25.7-1
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
AZL-26028 CVE-2023-24536 affecting package msft-golang for versions less than 1.20.7-1
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
CVE-2023-24536 Excessive resource consumption in net/http, net/textproto and mime/multipart
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
SUSE CVE-2023-24536
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...
Allocation of Resources Without Limits or Throttling
Overview std/net/textproto is a Go standard library package std/net/textproto Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Multipart form parsing can consume large amounts of CPU and memory when processing form...
SUSE CVE-2018-12633
An issue was discovered in the Linux kernel through 4.17.2. vbgmiscdeviceioctl in drivers/virt/vboxguest/vboxguestlinux.c reads the same user data twice with copyfromuser. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables...
CVE-2022-35256
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...
Oracle Linux 8 : nodejs:14 (ELSA-2022-7830)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7830 advisory. - Record issues fixed in the current version Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 Resolves: CVE-2022-0235 - Rebase to...
AlmaLinux 8 : nodejs:18 (ALSA-2022:7821)
The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7821 advisory. nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields CVE-2022-35256 Tenable...
CVE-2022-39026 e-Excellence Inc. U-Office Force - Stored XSS
U-Office Force UserDefault page has insufficient filtering for special characters in the HTTP header fields. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform XSS Stored Cross-Site Scripting attack...
RHEL 8 : nodejs:16 (RHSA-2022:6964)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6964 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...
SUSE-SU-2022:3503-1 Security update for nodejs12
This update for nodejs12 fixes the following issues: - CVE-2022-35256: Fixed incorrect parsing of header fields bsc1203832. - CVE-2022-32213: Fixed bypass via obs-fold mechanic bsc1201325...
Updated nodejs packages fix security vulnerability
DNS rebinding in --inspect on macOS CVE-2022-32212 Bypass via obs-fold mechanic CVE-2022-32213 HTTP Request Smuggling Due to Incorrect Parsing of Header Fields CVE-2022-35256...
September 23rd 2022 Security Releases
September 23rd 2022 Security Releases Update 26-September-2022 Security releases available Recommendation update regarding CVE-2022-35255: Roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey. Re-evaluate the confidentiality of data encrypted with those keys. Update...
Moderate: Red Hat Security Advisory: nodejs:14 security and bug fix update
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
Mageia: Security Advisory (MGASA-2022-0294)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields
Summary: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Description: The following chunked request is processed. It should be rejected as Transfer-Encoding header obfuscatio...