Lucene search
K

85 matches found

F5 Networks
F5 Networks
added 2023/02/21 8:2 p.m.60 views

K92930514: GO vulnerability CVE-2016-5386

Security Advisory Description The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote...

8.1CVSS6.7AI score0.0522EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2022/09/06 12:0 a.m.8 views

PT-2022-4659

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.18.6 Go versions 1.19.x prior to 1.19.1 Description The issue is related to the net/http package in Go, where an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error, leading to a denial ...

10CVSS5.8AI score0.99999EPSS
Exploits91References456
Snyk
Snyk
added 2022/08/09 5:5 p.m.5 views

Unintended Proxy or Intermediary

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Unintended Proxy or Intermediary. Go Vulnerability Report: An input validation flaw in the CGI components allows the HTTPPROXY environment variable to be set by the incoming Pro...

9.2CVSS6.7AI score0.0522EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2022/07/22 10:5 a.m.2 views

Malicious code in sf-http (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a7a395dd20110ce54d6e06156f7c1cf5f86c114631f0bb6e99f7a43349c924f3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
OSV
OSV
added 2022/06/03 10:17 p.m.31 views

GHSA-9W9F-6MG8-JP7W Missing Role Based Access Control for the REST handlers in bleve/http package

Impact What kind of vulnerability is it? Who is impacted? Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. https://github.com/blevesearch/bleve-explorer These HTTP methods paves way for exploitation of a node’s filesystem where the bleve index...

5.5CVSS5.8AI score0.00332EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2022/06/03 10:17 p.m.40 views

Missing Role Based Access Control for the REST handlers in bleve/http package

Impact What kind of vulnerability is it? Who is impacted? Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. https://github.com/blevesearch/bleve-explorer These HTTP methods paves way for exploitation of a node’s filesystem where the bleve index...

6.2CVSS5.9AI score0.00332EPSS
Exploits0References6Affected Software2
OSV
OSV
added 2022/06/01 8:15 p.m.3 views

UBUNTU-CVE-2022-31022

Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP bleve/http handlers fo...

6.2CVSS5.8AI score0.00332EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/05/24 5:37 p.m.31 views

http before 0.13.3 vulnerable to header injection

An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...

6.1CVSS7AI score0.02155EPSS
Exploits1References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2022/05/24 12:0 a.m.5 views

http before 0.13.3 vulnerable to header injection

An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...

6.1CVSS6.7AI score0.02155EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2022/01/12 10:33 p.m.77 views

Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints

Impact The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/htt...

7.5CVSS0.1AI score0.03958EPSS
Exploits0References2Affected Software1
RedHat Linux
RedHat Linux
added 2021/01/11 9:59 p.m.4 views

golang: data race in certain net/http servers including ReverseProxy can lead to DoS

A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability...

5.9CVSS7.3AI score0.02893EPSS
Exploits0References5
CNVD
CNVD
added 2020/12/29 12:0 a.m.3 views

Google Http package For Dart Cross-Site Request Forgery Vulnerability

Google Http package For Dart is a U.S. Google Inc. for the Dart programming language Http support code base . A cross-site request forgery vulnerability exists in Google Http package For Dart version 0.12.2 and earlier versions, which allows an attacker to implement a CRLF injection into an HTTP...

6.1CVSS7.4AI score0.02155EPSS
Exploits1References1
OSV
OSV
added 2020/12/24 3:15 a.m.19 views

CVE-2020-35669

An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request...

6.1CVSS7AI score
Exploits0References2
Prion
Prion
added 2020/12/24 3:15 a.m.17 views

Crlf injection

An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request...

4.3CVSS6.9AI score0.02155EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2020/12/24 2:5 a.m.32 views

CVE-2020-35669

An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request...

6.6AI score0.02155EPSS
Exploits1References2
CNNVD
CNNVD
added 2020/12/23 12:0 a.m.9 views

Google Http package For Dart 注入漏洞

Google Http package For Dart is a U.S. Google Inc. for the Dart programming language Http support code base . A cross-site request forgery vulnerability exists in Google Http package For Dart version 0.12.2 and earlier versions, which allows an attacker to implement a CRLF injection into an HTTP...

6.1CVSS6.8AI score0.02155EPSS
Exploits1References2
0day.today
0day.today
added 2020/07/26 12:0 a.m.288 views

INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution Exploit

Exploit for multiple platform in category web applications Exploit Title: INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution Exploit Author: Patrick Hener, SySS GmbH Many credits go to Dr. Benjamin Heß, SySS GmbH for helping with php oddities and the powershell payload Advisory:...

9.7AI score0.16585EPSS
Exploits5
RedhatCVE
RedhatCVE
added 2017/10/05 7:49 a.m.30 views

CVE-2017-1000098

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors...

7.5CVSS3AI score0.02078EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2016/08/18 12:0 a.m.39 views

Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)

An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTPPROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTPPROXY' is used by numerous web clients, including Go's net/http package,...

8.1CVSS6.9AI score0.0522EPSS
Exploits0References2
NVD
NVD
added 2016/07/19 2:0 a.m.21 views

CVE-2016-5386

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI...

8.1CVSS7.8AI score0.0522EPSS
Exploits0References9
Rows per page
Query Builder