83 matches found
Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2024-526)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-526 advisory. 2024-02-29: CVE-2023-39326 was added to this advisory. 2024-02-29: CVE-2023-39325 was added to this advisory. 2024-02-29: CVE-2023-49568 was added to this advisory. The HTTP/2 protocol allows a...
PT-2024-2655 · Libcurl +12 · Libcurl +12
Name of the Vulnerable Software and Affected Versions: libcurl affected versions not specified Description: The issue is related to a memory leak in libcurl when handling HTTP/2 server push. When the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts...
EulerOS 2.0 SP9 : golang (EulerOS-SA-2023-3299)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or...
Fedora 37 : golang-github-openprinting-ipp-usb (2023-ce2836acfa)
The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-ce2836acfa advisory. Security fix for CVE-2022-41717 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...
Fedora 38 : podman-tui (2023-e359fd31d2)
The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-e359fd31d2 advisory. podman-tui v0.12.0 + security fix for CVE-2023-39325 and CVE-2022-41717 and CVE-2022-41723 Tenable has extracted the preceding description block...
Fedora 37 : pack (2023-5029b92850)
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-5029b92850 advisory. fix for CVE-2023-39325 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for...
Amazon Linux 2 : docker (ALASECS-2023-019)
The version of docker installed on the remote host is prior to 20.10.25-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2023-019 advisory. http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Templates did not properly consider backticks...
Amazon Linux 2 : amazon-ecr-credential-helper (ALASNITRO-ENCLAVES-2023-033)
The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.7.1-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2NITRO-ENCLAVES-2023-033 advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request...
[SECURITY] Fedora 38 Update: nghttp2-1.52.0-2.fc38
This package contains the HTTP/2 client, server and proxy programs...
CVE-2023-39325
CVE-2023-39325 describes a DoS in HTTP/2 handling where a malicious client rapidly creates and resets requests, potentially exhausting server resources. The fix tightens per-connection concurrency handling: servers bound the number of executing handler goroutines to the stream-concurrency limit (...
AlmaLinux 8 : git-lfs (ALSA-2023:2866)
The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:2866 advisory. - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. Thi...
Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2023-175)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-175 advisory. Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. CVE-2022-23772 cmd/go in Go before 1.16.14 and 1.17.x...
Fedora 36 : pack (2023-0c354a3f9a)
The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-0c354a3f9a advisory. Security fix for CVE-2022-41717 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...
K81557381: BIG-IP HTTP/2 vulnerability CVE-2019-6673
Security Advisory Description When the BIG-IP system is configured in HTTP/2 full proxy mode, specifically crafted requests may cause a disruption of service provided by the Traffic Management Microkernel TMM. CVE-2019-6673 Impact An attacker may be able to use a specifically crafted request to...
Fedora 36 : git-credential-oauth (2023-2663dc67d8)
The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-2663dc67d8 advisory. Rebuild for security fix Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested fo...
RHEL 9 : go-toolset and golang (RHSA-2023:0328)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0328 advisory. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go...
Design/Logic Flaw
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate...
Debian dla-3079 : jetty9 - security update
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3079 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3079-1 [email protected]...
CVE-2022-2048
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...
FreeBSD : py-twisted -- multiple vulnerabilities (9fbaefb3-837e-11ea-b5b4-641c67a117d8) (Ping Flood) (Reset Flood) (Settings Flood)
Twisted developers reports : All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability. The HTTP/2 server implementation now enforces...