385 matches found
CVE-2023-24807 Undici vulnerable to Regular Expression Denial of Service in Headers
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...
CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...
CVE-2023-24807 Undici vulnerable to Regular Expression Denial of Service in Headers
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...
CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...
Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : HAProxy vulnerability (USN-5869-1)
The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5869-1 advisory. Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch discovered that HAProxy incorrectly handled empt...
CVE-2023-25725
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some...
openSUSE 15 Security Update : netty (SUSE-SU-2022:1315-1)
The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2022:1315-1 advisory. - Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &...
Amazon Linux 2022 : python-twisted (ALAS2022-2022-231)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-231 advisory. - twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is...
Medium: java-17-amazon-corretto
Issue Overview: Title: Wider MultiByte conversions Buffer overflow is possible due to incorrect byte count should be character count. CVE-2022-21618 Title: Improve NTLM support writeSecurityBuffer writes a serialized security buffer to be used for NTLM auth. One of the fields that are serialized ...
Medium: java-11-amazon-corretto
Issue Overview: Title: Wider MultiByte conversions Buffer overflow is possible due to incorrect byte count should be character count. CVE-2022-21618 Title: Improve NTLM support writeSecurityBuffer writes a serialized security buffer to be used for NTLM auth. One of the fields that are serialized ...
CVE-2022-41556
A resource leak in gwbackend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service connection-slot exhaustion after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of modfastcgi is, for example,...
Design/Logic Flaw
A resource leak in gwbackend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service connection-slot exhaustion after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of modfastcgi is, for example,...
CVE-2022-41556
A resource leak in gwbackend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service connection-slot exhaustion after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of modfastcgi is, for example,...
CVE-2022-41556
CVE-2022-41556 affects lighttpd 1.4.56–1.4.66, describing a resource leak in gw_backend.c that can cause denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior, related to RDHUP mishandling in certain HTTP/1.1 chunked scenarios (mod_fastcgi also affected). T...
CVE-2022-41556
A resource leak in gwbackend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service connection-slot exhaustion after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of modfastcgi is, for example,...
CVE-2022-41556
A resource leak in gwbackend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service connection-slot exhaustion after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of modfastcgi is, for example,...
Ubuntu 22.04 LTS : Twisted vulnerability (USN-5576-1)
The remote Ubuntu 22.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-5576-1 advisory. It was discovered that Twisted incorrectly parsed some types of HTTP requests in its web server implementation. In certain proxy or multi-server configurations, a...
CVE-2022-3215
NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines...
CVE-2022-3215
NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines...
[SECURITY] Fedora 37 Update: rubygem-puma-5.6.5-1.fc37
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support...