1072 matches found
Important: amazon-ecr-credential-helper
Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Affected Packages: amazon-ecr-credential-helper Note: This advisory is...
Design/Logic Flaw
The Android Client application, when enrolled with the define method 1 the user manually inserts the server ip address, use HTTP protocol to retrieve sensitive information ip address and credentials to connect to a remote MQTT broker entity instead of HTTPS and this feature is not configurable by...
CVE-2023-45321
The Android Client application, when enrolled with the define method 1 the user manually inserts the server ip address, use HTTP protocol to retrieve sensitive information ip address and credentials to connect to a remote MQTT broker entity instead of HTTPS and this feature is not configurable by...
CVE-2023-45220
The Android Client application, when enrolled with the define method 1the user manually inserts the server ip address, use HTTP protocol to retrieve sensitive information ip address and credentials to connect to a remote MQTT broker entity instead of HTTPS and this feature is not configurable by...
PT-2023-29462 · Google · Android Client
Name of the Vulnerable Software and Affected Versions: Android Client affected versions not specified Description: The Android Client application uses the HTTP protocol to retrieve sensitive information, including IP addresses and credentials to connect to a remote MQTT broker entity, instead of...
PT-2023-29497 · Google · Android Client
Name of the Vulnerable Software and Affected Versions: Android Client application affected versions not specified Description: The issue concerns the use of the HTTP protocol instead of HTTPS to retrieve sensitive information, including IP addresses and credentials for a remote MQTT broker entity...
HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...
HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...
PT-2023-6208 · Oracle · Oracle Enterprise Command Center Framework
Name of the Vulnerable Software and Affected Versions: Oracle Enterprise Command Center Framework versions 8 through 10 Description: The issue is related to insufficient input validation in the UI Components of the Oracle Enterprise Command Center Framework, allowing an unauthenticated attacker...
Important: tomcat
Issue Overview: Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts...
AZL-34015 CVE-2023-39325 affecting package kata-containers-cc for versions less than 3.2.0.azl2-1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
AZL-35349 CVE-2023-39325 affecting package vitess for versions less than 16.0.2-5
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
AZL-34747 CVE-2023-39325 affecting package golang for versions less than 1.20.7-2
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
AZL-43741 CVE-2023-39325 affecting package nmi 1.8.17-6
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...
UBUNTU-CVE-2023-36478
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to exceed their size limit. MetaDataBuilder.java determines if a...
AZL-43747 CVE-2023-44487 affecting package podman 4.1.1-26
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-31315 CVE-2023-44487 affecting package kata-containers-cc for versions less than 0.6.1-2
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-31345 CVE-2023-44487 affecting package skopeo for versions less than 1.12.0-4
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-34964 CVE-2023-44487 affecting package local-path-provisioner for versions less than 0.0.21-12
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
AZL-31328 CVE-2023-44487 affecting package moby-containerd for versions less than 1.6.22-2
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...