385 matches found
SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3196-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3196-1 advisory. - CVE-2022-35949: Fixed SSRF when an application takes in user input into the path/pathname option of undici.request bsc1202382. -...
Amazon Linux 2022 : rubygem-puma (ALAS2022-2022-051)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-051 advisory. A flaw was found in rubygem-puma. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starv...
Improper Input Validation
trafficserver is vulnerable to improper input validation. The vulnerability exists in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers...
CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.= [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInp...
Crlf injection
undici is an HTTP/1.1 client, written from scratch for Node.js.= email protected users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const...
CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.= [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInp...
GLSA-202208-28 : Puma: Multiple Vulnerabilities
The remote host is affected by the vulnerability described in GLSA-202208-28 Puma: Multiple Vulnerabilities - Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been...
CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.= [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInp...
CVE-2022-35948 CRLF Injection in Nodejs ‘undici’ via Content-Type
undici is an HTTP/1.1 client, written from scratch for Node.js.= [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInp...
CVE-2022-35948
CVE-2022-35948 affects the undici HTTP/1.1 client for Node.js. When user input is unsanitized in the Content-Type header, CRLF Injection can cause multiple requests in a single call (e.g., two GETs). The issue is fixed in undici v5.8.1; workaround: sanitize input before sending as a Content-Type ...
CVE-2022-35949
undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici =...
CVE-2022-35949 `undici.request` vulnerable to SSRF using absolute URL on `pathname`
undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici =...
CVE-2022-35949
undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici =...
CVE-2022-28129
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2...
Input validation
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2...
CVE-2022-28129
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2...
CVE-2022-28129
Apache Traffic Server versions 8.0.0–9.1.2 are affected by CVE-2022-28129 due to improper input validation in HTTP/1.1 header parsing, allowing an attacker to send invalid headers. Fedora advisories indicate upgrades to 9.1.3 (and 8.0.2+ds-1+deb10u7 for Debian) to fix the issue. CVSSv3 base score...
CVE-2022-28129 Insufficient Validation of HTTP/1.x Headers
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2...
CVE-2022-31150
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this...
CVE-2022-31150
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this...