16601 matches found
AZL-27279 CVE-2023-30589 affecting package nodejs18 for versions less than 18.17.1-2
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
UBUNTU-CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
Crlf injection
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
CVE-2023-30589
CVE-2023-30589 – Node.js (llhttp CRLF handling) – Technical summary The llhttp parser in Node.js’ http module does not strictly use CRLF to delimit HTTP header fields, potentially allowing HTTP Request Smuggling. The CR character alone (without LF) can delimit headers, contrary to RFC7230 which r...
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
Security Bulletin: Watson CP4D Data Stores is vulnerable to Golang Go is vulnerable to HTTP request smuggling(CVE-2022-1705)
Summary Potential Golang Go HTTP request smuggling vulnerability CVE-2022-1705 has been identified that may affect Watson CP4D Data Stores Refer to details for additional information. Vulnerability Details CVEID:CVE-2022-1705 DESCRIPTION: Golang Go is vulnerable to HTTP request smuggling, caused ...
Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data
Summary IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. Vulnerability Details CVEID:CVE-2022-41721 DESCRIPTION: Golang Go is vulnerable to HTTP request smuggling, cause...
Schneider Electric Modicon Improper Input Validation (CVE-2018-7761)
A vulnerability exists in the HTTP request parser in Schneider Electric's Modicon M340, Modicon Premium, Modicon Quantum PLC, BMXNOR0200 which could allow arbitrary code execution. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more informatio...
Schneider Electric Modicon Improper Input Validation (CVE-2021-22787)
A CWE-20: Improper Input Validation vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 Versions prior to V3.40, Modicon M340 X80 Ethernet...
SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2023:2669-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2669-1 advisory. Update to version 18.16.1: - CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism bsc1212574. ...
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Netty
Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Netty. Vulnerability Details CVEID:CVE-2022-41881 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a StackOverflowError in HAProxyMessageDecoder. By sending a specially-crafted...
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to HTTP request smuggling in Golang Go ( CVE-2022-41721)
Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to HTTP request smuggling in Golang Go, caused by a flaw when using MaxBytesHandler CVE-2022-41721. Golang Go is included as part of the operators used by our speech services. This vulnerabilitiy has been...
SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2023:2655-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2655-1 advisory. Update to version 16.20.1: - CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism bsc1212574. -...
SUSE SLES15 / openSUSE 15 Security Update : nodejs16 (SUSE-SU-2023:2663-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2663-1 advisory. Update to version 16.20.1: - CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism bsc1212574. ...
SUSE-SU-2023:2663-1 Security update for nodejs16
This update for nodejs16 fixes the following issues: Update to version 16.20.1: - CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism bsc1212574. - CVE-2023-30585: Fixed privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process...
FortiNAC - External Control of File Name or Path in keyUpload scriptlet (FG-IR-22-300)
The version of Fortinet FortiNAC installed on the remote host is 8.3.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x, 9.1.x prior to 9.1.8, 9.2.x prior to 9.2.6, or 9.4.x prior to 9.4.1. It is, therefore, affected by an external control of file name or path security issue. An unauthenticated, remote attacker can...
CVE-2023-30258
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request...