Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2023-140)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-140 advisory. If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false the default for...

CVE-2023-27569

The eotags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header...

CVE-2023-27569

The eotags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header...

CLSA-2023-1679349850 curl: Fix of CVE-2023-23916

CVE-2023-23916: fix HTTP multi-header compression denial of service - fix testing system by adding the nonewline option...

PT-2023-2258 · Jenkins · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.270 through 2.393 Jenkins LTS versions 2.277.1 through 2.375.3 Description: The issue is related to errors in handling HTTP headers, which can allow a remote attacker to perform cross-site scripting XSS attacks. The...

CVE-2022-4550

The User Activity WordPress plugin through 1.0.1 checks headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing...

[SECURITY] Fedora 36 Update: haproxy-2.4.22-2.fc36

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

Fedora 37 : haproxy (2023-3e8a21cd5b)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-3e8a21cd5b advisory. Security fix for CVE-2023-0056, CVE-2023-25725 Tenable has extracted the preceding description block directly from the Fedora security advisory. Not...

AZL-13653 CVE-2023-23916 affecting package curl for versions less than 7.88.1-1

An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...

K000132665: Apache HTTPD vulnerability CVE-2022-37436

Security Advisory Description Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the...

K14054: CRIME vulnerability via TLS 1.2 protocol CVE-2012-4929

Security Advisory Description The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plain text HTTP headers by...

K55423848: CGI.pm and CGI::Simple vulnerabilities CVE-2010-2761 and CVE-2010-4410

Security Advisory Description CVE-2010-2761 The multipartinit function in 1 CGI.pm before 3.50 and 2 Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers a...

K20606443: iControl REST CSRF vulnerability CVE-2020-5922

Security Advisory Description iControl REST does not implement cross-site request forgery CSRF protections for users applying basic authentication in a web browser. CVE-2020-5922 Impact In a successful exploit, an attacker can run JavaScript in the context of the currently logged-in user. For an...

K10420455: Python urllib and urllib2 library vulnerability CVE-2016-5699

Security Advisory Description CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython aka Python before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2016-5699 Impact An attacker...

K27551003: The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it

Security Advisory Description This issue occurs when all of the following conditions are met: A virtual server is associated with an HTTP profile. An iRule or LTM policy that uses HTTP header information is associated with the virtual server. The BIG-IP system receives a specially crafted HTTP...

K39794285: The BIG-IP system may fail to properly parse HTTP headers that are prepended by whitespace (non RFC2616 compliant)

Security Advisory Description The BIG-IP system may fail to properly parse HTTP headers that are prepended by whitespace. This issue occurs when all of the following conditions are met: A virtual server is associated with an HTTP profile. The BIG-IP system receives a specially crafted HTTP reques...

K14059: CRIME vulnerability via the SPDY protocol CVE-2012-4930

Security Advisory Description The SPDY protocol 3, and earlier, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plain text HTTP headers by observing length differences during a series ...

Internet Bug Bounty: CRLF Injection in Nodejs ‘undici’ via host

A vulnerability was discovered in the fetch API of Node.js versions 16.x, 18.x, and 19.x that allowed for CRLF injection in the 'host' header, potentially leading to attacks such as HTTP response splitting and HTTP header injection. The vulnerability was fixed in security releases...

Crlf injection

A improper neutralization of crlf sequences in http headers 'http response splitting' in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.1, 7.0.0 through 7.0.7, 2.0.0 through 2.0.10,...

SUSE CVE-2006-3124

Buffer overflow in the HTTP header parsing in Streamripper before 1.61.26 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted HTTP headers...