aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...

Oracle HTTP Server (Jul 2023 CPU)

The version of Oracle HTTP Server installed on the remote host are affected by multiple vulnerabilities as referenced in the Jul 2023 CPU advisory. - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware component: Thirdparty LibExpat. The supported version that is affected ...

Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 33 Multiple Vulnerabilities

According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including: - Vulnerability in the sfdcpreauth.jsp component. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code. CVE-2023-29382 - HTTP reques...

CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

Design/Logic Flaw

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

CVE-2023-37276 aiohttp vulnerable to HTTP request smuggling

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

CVE-2023-37276

CVE-2023-37276 affects aiohttp when used as an HTTP server (aiohttp.Application); vulnerable code is in the llhttp-based HTTP request parser bundled with aiohttp v3.8.4 and earlier. Exploitation can lead to HTTP request smuggling. The issue is addressed in aiohttp 3.8.5; upgrading is recommended....

CVE-2023-37276 aiohttp vulnerable to HTTP request smuggling

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

Oracle Enterprise Manager Ops Center (Jul 2023 CPU)

The 12.4.0.0 version of Enterprise Manager Ops Center installed on the remote host is affected by multiple vulnerabilities as referenced in the July 2023 CPU advisory: - Vulnerability in the Oracle Enterprise Manager Ops Center product of Oracle Enterprise Manager component: Networking Apache HTT...

CVE-2023-34036

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...

CVE-2023-34036

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...

Design/Logic Flaw

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...

CVE-2023-34036 Forwarded header exploit with Spring HATEOAS on WebFlux

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...

CVE-2023-34036 Forwarded header exploit with Spring HATEOAS on WebFlux

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...

CLSA-2023-1689259392 Fix CVE(s): CVE-2021-28861

SECURITY UPDATE: Redirection vulnerability in http.server - debian/patches/CVE-2021-28861.patch: Fix an open redirection vulnerability in the http.server module when an URI path starts with // - debian/patches/expat-regression.patch: some tests were fixed - CVE-2021-28861...

Security Bulletin: Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC)

Summary IBM DS8900 Management Console is affected by Open Source expat CVE-2022-43680, libxml2 CVE-2022-40303, CVE-2022-40304, dbus CVE-2022-42010, CVE-2022-42011, CVE-2022-42012, httpd CVE-2023-25690, systemd CVE-2022-4415, OpenSSL CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286,...

Ubuntu 16.04 ESM / 18.04 ESM : Gorilla WebSocket vulnerability (USN-6208-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-6208-1 advisory. It was discovered that Gorilla WebSocket incorrectly handled decoding WebSocket frames. An attacker could possibly use this issue to cause a crash,...

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

Cisco Talos discovered 17 vulnerabilities 63 CVEs in the Milesight UR32L router and five vulnerabilities six CVEs in the Milesight MilesightVPN remote access solution software. An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN. This post...

Nexxt Nebula 1200-AC 安全漏洞

The Nexxt Nebula 1200-AC is a wireless router from Nexxt USA. A security vulnerability exists in the Nexxt Nebula 1200-AC version 15.03.06.60, which originates from using the HTTPD service to enable TELNET to bypass authentication and command execution...