SUSE SLED15 / SLES15 Security Update : flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (SUSE-SU-2021:1094-1)

This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues : libostree : Update to version 2020.8 Enable LTO. bsc1133120 This update contains scalability improvements and bugfixes. Caching-related HTTP headers are now supported on summaries and...

Kopano Groupware Core Denial of Service Vulnerability

Kopano Groupware Core is an application from the Dutch company Kopano. Provides Groupware features for Kopano stacks and in most cases they are the core of every Kopano environment. A denial of service vulnerability exists in Kopano Groupware Core, which can be exploited by an attacker to exhaust...

CVE-2021-28994

kopano-ical formerly zarafa-ical in Kopano Groupware Core through 8.7.16, 9.x through 9.1.0, 10.x through 10.0.7, and 11.x through 11.0.1 and Zarafa 6.30.x through 7.2.x allows memory exhaustion via long HTTP headers...

CVE-2021-28994

kopano-ical formerly zarafa-ical in Kopano Groupware Core through 8.7.16, 9.x through 9.1.0, 10.x through 10.0.7, and 11.x through 11.0.1 and Zarafa 6.30.x through 7.2.x allows memory exhaustion via long HTTP headers...

Design/Logic Flaw

kopano-ical formerly zarafa-ical in Kopano Groupware Core through 8.7.16, 9.x through 9.1.0, 10.x through 10.0.7, and 11.x through 11.0.1 and Zarafa 6.30.x through 7.2.x allows memory exhaustion via long HTTP headers...

CVE-2021-28994

CVE-2021-28994 affects Kopano Groupware Core via kopano-ical (formerly zarafa-ical). The vulnerability causes memory exhaustion by processing long HTTP headers. Affected versions include Kopano Groupware Core up to 8.7.16, 9.x up to 9.1.0, 10.x up to 10.0.7, and 11.x up to 11.0.1, and Zarafa 6.30...

CVE-2021-28994

kopano-ical formerly zarafa-ical in Kopano Groupware Core through 8.7.16, 9.x through 9.1.0, 10.x through 10.0.7, and 11.x through 11.0.1 and Zarafa 6.30.x through 7.2.x allows memory exhaustion via long HTTP headers...

CVE-2021-28994

Removed by vendor...

Information Disclosure

x-pack-core is vulnerable to an information disclosure. Sensitive request headers of other users in the cluster are exposed to a user with the ability to read the .tasks index due to a flawed implementation of async search API which allows users executing an async search to store the HTTP headers...

Insufficiently Protected Credentials in Elasticsearch

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in...

Froala 3.2.6-1 Cross Site Scripting Vulnerability

Exploit Title: Stored XSS and Html Code Injection Editor Froala Version 3.2.6-1 Author: Vincent666 ibn Winnie Software Link: https://froala.com/wysiwyg-editor/ Tested on: Windows 10 Web Browser: Mozilla Firefox My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ PoC: In t...

CVE-2020-14359

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers via cURL an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers e.g. Jetty. This means there is no protection when we put a Gatekeeper in front of a Jet...

CVE-2020-14359

A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers via cURL we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers e.g. Jetty. This means there is no protection when we put a Gatekeeper in front of a Jetty server and use...

PT-2021-9721 · Red Hat +1 · Keycloak Gatekeeper +1

Name of the Vulnerable Software and Affected Versions: Keycloak Gatekeeper versions all Description: A vulnerability was found in Keycloak Gatekeeper where an attacker can bypass the Gatekeeper by using lower case HTTP headers, for example, via cURL. This issue is particularly problematic when th...

CVE-2020-4828

IBM API Connect CVE-2020-4828 affects IBM API Connect 10.0.0.0–10.0.1.0 and 2018.4.1.0–2018.4.1.13, vulnerable to web cache poisoning due to improper input validation when HTTP request headers are modified. Root cause: input validation weakness in header handling. Impact: web cache poisoning pote...

Huawei EulerOS: Security Advisory for ceph (EulerOS-SA-2021-1136)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-22132

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in...

CVE-2020-4967

IBM Cloud Pak for Security CP4S 1.3.0.1 could disclose sensitive information through HTTP headers which could be used in further attacks against the system. IBM X-Force ID: 192425...

CVE-2020-4967

IBM Cloud Pak for Security CP4S 1.3.0.1 could disclose sensitive information through HTTP headers which could be used in further attacks against the system. IBM X-Force ID: 192425...

CVE-2020-4815

IBM Cloud Pak for Security CP4S 1.4.0.0 could allow a remote user to obtain sensitive information from HTTP response headers that could be used in further attacks against the system...