Lucene search
K

91 matches found

Hacker One
Hacker One
added 2023/05/25 1:38 p.m.70 views

Node.js: HTTP Request Smuggling via Empty headers separated by CR

HTTP Request Smuggling HRS was possible in Node.js v20.2.0 due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. The CR character without LF was sufficient to delimit HTTP header fields in the llhttp parser, which is not compliant with RFC7230...

7.5CVSS7.7AI score0.03906EPSS
Exploits1
OSV
OSV
added 2023/04/21 11:5 a.m.4 views

OESA-2023-1237 golang security update

The Go Programming Language. Security Fixes: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can...

9.8CVSS7.2AI score0.02281EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2023/04/12 12:2 p.m.7 views

haproxy: request smuggling attack in HTTP/1 header parsing

A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypa...

9.1CVSS5.7AI score0.05493EPSS
Exploits0References6
OSV
OSV
added 2023/04/06 4:15 p.m.4 views

AZL-79062 CVE-2023-24536 affecting package golang 1.25.7-1

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...

7.5CVSS6.6AI score0.01479EPSS
Exploits0References1
OSV
OSV
added 2023/04/06 4:15 p.m.5 views

AZL-26028 CVE-2023-24536 affecting package msft-golang for versions less than 1.20.7-1

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...

7.5CVSS6.6AI score0.01479EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2023/04/06 3:50 p.m.6 views

CVE-2023-24536 Excessive resource consumption in net/http, net/textproto and mime/multipart

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...

7.5AI score0.01479EPSS
Exploits0References8
SUSE CVE
SUSE CVE
added 2023/04/06 1:57 a.m.3 views

SUSE CVE-2023-24536

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount ...

5.9CVSS7.1AI score0.01479EPSS
Exploits0References13
Snyk
Snyk
added 2023/04/05 9:4 p.m.1 views

Allocation of Resources Without Limits or Throttling

Overview std/net/textproto is a Go standard library package std/net/textproto Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Multipart form parsing can consume large amounts of CPU and memory when processing form...

8.7CVSS6.8AI score0.01479EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 4:26 a.m.2 views

SUSE CVE-2018-12633

An issue was discovered in the Linux kernel through 4.17.2. vbgmiscdeviceioctl in drivers/virt/vboxguest/vboxguestlinux.c reads the same user data twice with copyfromuser. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables...

6.3CVSS6.4AI score0.00264EPSS
Exploits1References3
Cvelist
Cvelist
added 2022/12/05 12:0 a.m.29 views

CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

8.1AI score0.02587EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2022/11/15 12:0 a.m.34 views

Oracle Linux 8 : nodejs:14 (ELSA-2022-7830)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7830 advisory. - Record issues fixed in the current version Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 Resolves: CVE-2022-0235 - Rebase to...

8.8CVSS7.5AI score0.21514EPSS
Exploits4References6
Tenable Nessus
Tenable Nessus
added 2022/11/14 12:0 a.m.56 views

AlmaLinux 8 : nodejs:18 (ALSA-2022:7821)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7821 advisory. nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields CVE-2022-35256 Tenable...

9.1CVSS7.8AI score0.02587EPSS
Exploits2References3
Vulnrichment
Vulnrichment
added 2022/10/31 6:40 a.m.8 views

CVE-2022-39026 e-Excellence Inc. U-Office Force - Stored XSS

U-Office Force UserDefault page has insufficient filtering for special characters in the HTTP header fields. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform XSS Stored Cross-Site Scripting attack...

5.4CVSS5.4AI score0.00429EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2022/10/17 12:0 a.m.274 views

RHEL 8 : nodejs:16 (RHSA-2022:6964)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6964 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

9.1CVSS7.9AI score0.02587EPSS
Exploits2References6
OSV
OSV
added 2022/10/04 9:57 a.m.6 views

SUSE-SU-2022:3503-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: - CVE-2022-35256: Fixed incorrect parsing of header fields bsc1203832. - CVE-2022-32213: Fixed bypass via obs-fold mechanic bsc1201325...

6.5CVSS7.4AI score0.35079EPSS
Exploits2References5
Mageia
Mageia
added 2022/10/01 5:48 p.m.62 views

Updated nodejs packages fix security vulnerability

DNS rebinding in --inspect on macOS CVE-2022-32212 Bypass via obs-fold mechanic CVE-2022-32213 HTTP Request Smuggling Due to Incorrect Parsing of Header Fields CVE-2022-35256...

8.1CVSS2AI score0.35079EPSS
Exploits2References3
Node JS Blog
Node JS Blog
added 2022/09/15 12:0 a.m.56 views

September 23rd 2022 Security Releases

September 23rd 2022 Security Releases Update 26-September-2022 Security releases available Recommendation update regarding CVE-2022-35255: Roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey. Re-evaluate the confidentiality of data encrypted with those keys. Update...

9.1CVSS8AI score0.68796EPSS
Exploits5
RedHat Linux
RedHat Linux
added 2022/09/13 9:48 a.m.56 views

Moderate: Red Hat Security Advisory: nodejs:14 security and bug fix update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

8.1CVSS6.7AI score0.77278EPSS
Exploits3References7
OpenVAS
OpenVAS
added 2022/08/26 12:0 a.m.25 views

Mageia: Security Advisory (MGASA-2022-0294)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

9.8CVSS7.3AI score0.77278EPSS
Exploits5References9
Hacker One
Hacker One
added 2022/08/20 3:13 a.m.52 views

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Summary: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Description: The following chunked request is processed. It should be rejected as Transfer-Encoding header obfuscatio...

6.4CVSS8AI score0.02587EPSS
Exploits1
Rows per page
Query Builder