Amazon Linux 2 : amazon-ecr-credential-helper (ALASNITRO-ENCLAVES-2024-040)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.7.1-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2NITRO-ENCLAVES-2024-040 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an...

Amazon Linux 2 : amazon-ecr-credential-helper (ALASDOCKER-2024-039)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.7.1-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2024-039 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive...

Amazon Linux 2 : cni-plugins (ALAS-2024-2555)

The version of cni-plugins installed on the remote host is prior to 1.2.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2555 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATIO...

Medium: golist

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

Medium: cni-plugins

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2024-625)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-625 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing...

Medium: amazon-ecr-credential-helper

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

Amazon Linux 2023 : amazon-ecr-credential-helper (ALAS2023-2024-631)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-631 advisory. A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP clie...

AlmaLinux 8 : git-lfs (ALSA-2024:2699)

The remote AlmaLinux 8 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2024:2699 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state...

RHEL 9 : Red Hat build of MicroShift 4.15.12 (RHSA-2024:2667)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:2667 advisory. Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the ed...

Rocky Linux 8 : git-lfs (RLSA-2024:2699)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:2699 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK stat...

Rocky Linux 8 : go-toolset:rhel8 (RLSA-2024:1962)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:1962 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK stat...

RHCOS 4 : OpenShift Container Platform 4.12.56 (RHSA-2024:1899)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1899 advisory. - golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288 Note that Nessus has not tested for this...

CentOS 7 : rhc-worker-script (RHSA-2024:2625)

The remote CentOS Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:2625 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK sta...

Fedora 40 : kubernetes (2024-ce2eefc399)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-ce2eefc399 advisory. Update Kubernetes to v1.29.4 for Fedora 40. Resolves CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugi...

AlmaLinux 9 : golang (ALSA-2024:1963)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2024:1963 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state...

OESA-2024-1488 golang security update

The Go Programming Language. Security Fixes: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a...

MGASA-2024-0128 Updated golang packages fix security vulnerability

CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

FreeBSD : forgejo -- HTTP/2 CONTINUATION flood in net/http (c092be0e-f7cc-11ee-aa6b-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c092be0e-f7cc-11ee-aa6b-b42e991fc52e advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an...

SUSE SLES12 Security Update : go1.21 (SUSE-SU-2024:1161-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1161-1 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames...