Amazon Linux 2023 : runfinch-finch (ALAS2023-2026-1741)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1741 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1743)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1743 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Denial Of Service (DoS)

org.eclipse.jetty.http2, jetty-http2-common is vulnerable to Denial Of Service DoS. The vulnerability is due to missing validation of the SETTINGSMAXHEADERLISTSIZE parameter in HTTP/2 settings frames. Specifically, Jetty fails to enforce reasonable limits on this value, allowing an attacker to...

DEBIAN-CVE-2025-1948

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to...

CVE-2025-1948

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to...

Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Protect Plus (CVE-2020-10531, CVE-2020-8172, CVE-2020-8174, CVE-2020-11080)

Summary Node.js is vulnerable to buffer overflows, bypass of security restrictions, and denial of service which may affect IBM Spectrum Protect Plus. Vulnerability Details CVEID: CVE-2020-10531 DESCRIPTION: International Components for Unicode ICU for C/C++ is vulnerable to a heap-based buffer...

Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM App Connect Enterprise V11

Summary IBM App Connect Enterprise V11 ships with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below. Vulnerability Details CVEID: CVE-2020-11080 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error in the HTTP/...

Important: nghttp2

Issue Overview: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes 2400 individual settings entries over and over again. The...

SUSE-SU-2020:1576-1 Security update for nodejs8

This update for nodejs8 fixes the following issues: - CVE-2020-8174: Fixed multiple memory corruption in napigetvaluestring bsc1172443. - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames bsc1172442. - CVE-2020-7598: Fixed an issue which...

CVE-2020-11080 Denial of service in nghttp2

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes 2400 individual settings entries over and over again. The attack causes th...