258 matches found
CVE-2024-25622 H2O ignores headers configuration directives
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes e.g., path level are expected to inherit t...
CVE-2024-25622 H2O ignores headers configuration directives
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes e.g., path level are expected to inherit t...
Important: .NET 8.0 security update
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.110 and .NET Runtime 8.0.10...
ALSA-2024:7869 Important: .NET 8.0 security update
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.110 and .NET Runtime 8.0.10...
GHSA-7VW9-CFWX-9GX9 Microsoft Security Advisory CVE-2024-38229 | .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2024-38229 | .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update the...
Ubuntu 22.04 LTS / 24.04 LTS : .NET vulnerabilities (USN-7058-1)
The remote Ubuntu 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7058-1 advisory. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An...
Nginx 1.25.x < 1.26.1 Multiple Vulnerabilities
According to its Server response header, the installed version of nginx is 1.25.x prior to 1.26.1. It is, therefore, affected by four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process...
ROS-20240725-01
Vulnerability of HTTP/3 QUIC module ngxhttpv3module of NGINX Plus and NGINX OSS web servers is related to null pointer dereferencing. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service. remotely to cause a denial of service using specially craft...
Internet Bug Bounty: CVE-2024-3416: MTU of 4096 or greater without fragmentation may cause NGINX worker processes to leak previously freed memory
A vulnerability was discovered in NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. If the network infrastructure supported a Maximum Transmission Unit MTU of 4096 or greater without fragmentation, undisclosed QUIC packets could cause NGINX worker processes to leak previously...
Remote Code Execution (RCE)
.NET is vulnerable to Remote Code Execution RCE. The vulnerability is due to data corruption in Kestrel HTTP/3 server, which can result in remote code execution. An attacker can exploit this to execute arbitrary code on the affected system...
GHSA-CHFC-9W6M-75RF Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applicatio...
Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applicatio...
GO-2024-2973 Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik
Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik...
Authorization Bypass
github.com/traefik/traefik is vulnerable to Authorization Bypass.The vulnerability is caused due to improper handling of HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses, which allows an attacker to bypass IP allow-lists...
FreeBSD : traefik -- Bypassing IP allow-lists via HTTP/3 early data requests (767dfb2d-3c9e-11ef-a829-5404a68ad561)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 767dfb2d-3c9e-11ef-a829-5404a68ad561 advisory. The traefik authors report: There is a vulnerability in Traefik that allows bypassing IP allow-lists vi...
CVE-2024-39321
An authorization bypass vulnerability was found in Traefik. This flaw allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Mitigation Mitigation for this issue is either not available or the currently available options do not meet...
GHSA-GXRV-WF35-62W9 Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes
Impact There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Patches - https://github.com/traefik/traefik/releases/tag/v2.11.6 - https://github.com/traefik/traefik/releases/tag/v3.0.4 -...
Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes
Impact There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Patches - https://github.com/traefik/traefik/releases/tag/v2.11.6 - https://github.com/traefik/traefik/releases/tag/v3.0.4 -...
CVE-2024-39321
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patc...
CVE-2024-39321
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patc...