85 matches found
K92930514: GO vulnerability CVE-2016-5386
Security Advisory Description The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote...
PT-2022-4659
Name of the Vulnerable Software and Affected Versions Go versions prior to 1.18.6 Go versions 1.19.x prior to 1.19.1 Description The issue is related to the net/http package in Go, where an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error, leading to a denial ...
Unintended Proxy or Intermediary
Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Unintended Proxy or Intermediary. Go Vulnerability Report: An input validation flaw in the CGI components allows the HTTPPROXY environment variable to be set by the incoming Pro...
Malicious code in sf-http (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a7a395dd20110ce54d6e06156f7c1cf5f86c114631f0bb6e99f7a43349c924f3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
GHSA-9W9F-6MG8-JP7W Missing Role Based Access Control for the REST handlers in bleve/http package
Impact What kind of vulnerability is it? Who is impacted? Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. https://github.com/blevesearch/bleve-explorer These HTTP methods paves way for exploitation of a node’s filesystem where the bleve index...
Missing Role Based Access Control for the REST handlers in bleve/http package
Impact What kind of vulnerability is it? Who is impacted? Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. https://github.com/blevesearch/bleve-explorer These HTTP methods paves way for exploitation of a node’s filesystem where the bleve index...
UBUNTU-CVE-2022-31022
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP bleve/http handlers fo...
http before 0.13.3 vulnerable to header injection
An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...
http before 0.13.3 vulnerable to header injection
An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
Impact The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/htt...
golang: data race in certain net/http servers including ReverseProxy can lead to DoS
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability...
Google Http package For Dart Cross-Site Request Forgery Vulnerability
Google Http package For Dart is a U.S. Google Inc. for the Dart programming language Http support code base . A cross-site request forgery vulnerability exists in Google Http package For Dart version 0.12.2 and earlier versions, which allows an attacker to implement a CRLF injection into an HTTP...
CVE-2020-35669
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request...
Crlf injection
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request...
CVE-2020-35669
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request...
Google Http package For Dart 注入漏洞
Google Http package For Dart is a U.S. Google Inc. for the Dart programming language Http support code base . A cross-site request forgery vulnerability exists in Google Http package For Dart version 0.12.2 and earlier versions, which allows an attacker to implement a CRLF injection into an HTTP...
INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution Exploit
Exploit for multiple platform in category web applications Exploit Title: INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution Exploit Author: Patrick Hener, SySS GmbH Many credits go to Dr. Benjamin Heß, SySS GmbH for helping with php oddities and the powershell payload Advisory:...
CVE-2017-1000098
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors...
Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)
An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTPPROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTPPROXY' is used by numerous web clients, including Go's net/http package,...
CVE-2016-5386
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI...