12664 matches found
Astra Linux – Vulnerability in grub2
Out-of-bounds write when handling split HTTP headers: When dealing with split HTTP headers, GRUB2’s HTTP code accidentally moves its internal data buffer point by one position. This can lead to an out-of-bounds write during the parsing of the HTTP request, resulting in writing a NULL byte beyond...
Astra Linux – Vulnerability in Python-Django
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of the Accept-Language header are cached in order to avoid repeated parsing. This can lead to a potential denial-of-service vulnerability due to excessive memory usage if the raw value of the Accept-Language...
Astra Linux - Vulnerability in Golang-1.23
The HTTP client discards sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header, which is redirected to b.com/, will not send that header to b.com. However, if the client receives a subsequent same-domain redirect, the...
Astra Linux – Vulnerability in Gunicorn
Gunicorn fails to properly validate Transfer-Encoding headers, resulting in HTTP Request Smuggling HRS vulnerabilities. By creating requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue arises due to Gunicorn’s...
Astra Linux - Vulnerability in Golang-1.19
When following an HTTP redirect to a domain that is not a subdomain match or an exact match of the initial domain, an http.Client does not forward sensitive headers such as “Authorization” or “Cookie”. For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but ...
Astra Linux – Vulnerability in Firefox
The fetch API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers that fetch might contain. Under the correct circumstances, an attacker could have been able to corrupt the local browser cache by using a fetch response controlled by these...
Astra Linux – Vulnerability in Zabbix
The HttpRequest object allows you to retrieve the HTTP headers from the server’s response after sending a request. The issue is that the returned strings are created directly from the data sent by the server and are not properly encoded for JavaScript. This enables the creation of internal string...
Astra Linux – Vulnerability in Python 3.11, Python 3.7
The email module, specifically the “BytesGenerator” class, did not properly quote newlines for email headers when serializing an email message. This issue occurs only when using “LiteralHeader” to write headers that do not follow email folding rules. The new behavior will reject incorrectly folde...
Astra Linux – Vulnerability in Ruby-Rack
Rack is a modular Ruby web server interface. Carefully crafted headers may cause header parsing in Rack to take longer than expected, potentially leading to a denial-of-service issue. The Accept and Forwarded headers are affected. Ruby 3.2 includes fixes for this problem, so Rack applications tha...
Astra Linux – Vulnerability in Jetty9
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 inclusive, as well as 10.0.0 and 11.0.0, when Jetty handles a request containing multiple Accept headers with a large number of “quality” i.e., q parameters, the server may enter a Denial-of-Service DoS state due to high CPU usage in processing...
Astra Linux – Vulnerability in Tomcat9
There is an input validation vulnerability in Apache Tomcat. Versions of Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81, and from 8.5.0 through 8.5.93 did not properly parse HTTP trailer headers. A specially crafted, invalid trailer header...
Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15
Guests can trigger the reset/abort/crash of the NIC interface through netback. It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux-based network backend by sending certain types of packets. It seems to be an unstated assumption in the rest of the Linux network stack...
Astra Linux – Vulnerability in tar
In the sparse.c file of GNU Tar, before version 1.32, there was a NULL pointer dereferencing issue when parsing certain archives that contained malformed extended headers...
Astra Linux – Vulnerabilities in Linux, Linux-5.15, Linux-5.10
In the Linux kernel, the following vulnerability has been resolved: kheaders: Use an array declaration instead of a char. Under CONFIGFORTIFYSOURCE, memcpy will check the size of the destination and source buffers. Defining kernelheadersdata as “char” would trigger this check. Since these address...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec – Fix for memory leak in the elf header buffer This issue was reported by the kmemleak detector: Unreferenced object: 0xff2000000403d000 size 4096 Command: “kexec”, PID: 146, Jiffies: 4294900633 age: 64.792 seconds...
Astra Linux – Vulnerability found in Linux 5.15, Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: x86/kexec: fixed the memory leak in the elf header buffer. This issue was reported by the kmemleak detector: Unreferenced object 0xffffc900002a9000 size 4096: comm “kexec”, pid 14950, jiffies 4295110793 age 373.951s Hex dump firs...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: Do not assume adequate headroom for SDIO headers The function mt7921usbsdiotxprepareskb calls mt7921usbsdiowritetxwi and mt7921skbaddusbsdiohdr. Both functions blindly assume that adequate headroom will be available...
Astra Linux – Vulnerability in python-httplib2
In httplib2 before version 0.18.0, an attacker who controlled unescaped parts of the URI for httplib2.Http.request could alter request headers and the request body, and send additional hidden requests to the same server. This vulnerability affects software that uses httplib2 with URIs constructed...
Astra Linux – Vulnerability in Tomcat9
When responding to new H2C connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61 may duplicate request headers and a limited amount of request body from one request to another. This means that user A and user B may both see the results of user A’...
Astra Linux – Vulnerability in Twisted
Twisted is an event-driven networking engine written in Python. In affected versions, Twisted exposes cookies and authorization headers when performing cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web.BrowserLikeRedirectAgent functions. Users are advis...