Design/Logic Flaw

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versio...

openSUSE: Security Advisory for apache2 (openSUSE-SU-2021:1234-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] [DSA 4968-1] haproxy security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4968-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 07, 2021 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4968-1] haproxy security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4968-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 07, 2021 https://www.debian.org/security/faq -...

OPENSUSE-SU-2021:1234-1 Security update for apache2

This update for apache2 fixes the following issues: - CVE-2021-33193: Fixed request splitting via HTTP/2 method injection and modproxy bsc1189387. This update was imported from the SUSE:SLE-15-SP2:Update update project...

Security update for apache2 (important)

openSUSE Security Update: Security update for apache2 Announcement ID: openSUSE-SU-2021:1234-1 Rating: important References: 1189387 Cross-References: CVE-2021-33193 CVSS scores: CVE-2021-33193 SUSE: 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: openSUSE Leap 15.2 An update...

SUSE: Security Advisory (SUSE-SU-2021:2954-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openSUSE 15 Security Update : apache2 (openSUSE-SU-2021:2954-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:2954-1 advisory. - A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning...

SUSE SLED12: apache2 / apache2-devel / apache2-doc / apache2-example-pages / etc (SUSE-SU-2021:2918-1)

The remote SUSE Linux SLED12 / SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2918-1 advisory. - CVE-2021-33193: Fixed request splitting via HTTP/2 method injection and modproxy bsc1189387. Tenable has extracted the preceding...

OPENSUSE-SU-2021:2954-1 Security update for apache2

This update for apache2 fixes the following issues: - CVE-2021-33193: Fixed request splitting via HTTP/2 method injection and modproxy bsc1189387...

Security update for apache2 (important)

openSUSE Security Update: Security update for apache2 Announcement ID: openSUSE-SU-2021:2954-1 Rating: important References: 1189387 Cross-References: CVE-2021-33193 CVSS scores: CVE-2021-33193 SUSE: 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: openSUSE Leap 15.3 An update...

SUSE: Security Advisory (SUSE-SU-2021:2918-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

HTTP Request Smuggling in actix-http

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling HRS attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also...

CVE-2021-32778

An uncontrolled resource consumption vulnerability was found in envoyproxy/envoy. When envoy handles a large number of HTTP/2 requests which open and then reset the connection, it can cause excessive CPU usage. This flaw allows an attacker to cause a denial of service on the proxy. The highest...

CVE-2021-32778

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has ON^2 complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are...

CVE-2021-32778

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has ON^2 complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are...

Design/Logic Flaw

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has ON^2 complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are...

CVE-2021-32778

CVE-2021-32778 affects Envoy, where the HTTP/2 stream reset procedure has O(N^2) time complexity, causing high CPU and potential DoS when many streams are opened and closed. Connected advisories indicate fixes in Envoy versions 1.16.5, 1.17.4, 1.18.4, and 1.19.1, addressing the inefficiency. Othe...

CVE-2021-32778 Excessive CPU utilization when closing HTTP/2 streams

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has ON^2 complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are...

CVE-2021-21295

In Netty io.netty:netty-codec-http2 before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the...