CVE-2021-20220

A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS...

Security Bulletin: API Connect is impacted by a denial of service (DoS) vulnerability in Node.js (CVE-2020-11080)

Summary IBM API Connect has addressed the following vulnerability Vulnerability Details CVEID: CVE-2020-11080 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTIN...

Important: Red Hat Security Advisory: Red Hat support for Spring Boot 2.3.6 security update

An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more...

PT-2021-2443

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 8.5.0 through 8.5.61 Apache Tomcat versions 9.0.0.M1 through 9.0.41 Apache Tomcat versions 10.0.0-M1 through 10.0.0 Description: The issue is related to the implementation of the HTTP/2 protocol in Apache Tomcat, which...

CentOS 8 : haproxy (CESA-2020:1725)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2020:1725 advisory. - haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated chunked value CVE-2019-18277 - haproxy: HTTP/2...

CentOS 8 : httpd:2.4 (CESA-2019:2893)

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2019:2893 advisory. - HTTP/2: request for large response leads to denial of service CVE-2019-9517 Note that Nessus has not tested for this issue but has instead relied only on the...

CentOS 8 : nodejs:10 (CESA-2019:2925)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:2925 advisory. - nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass CVE-2019-5737 - HTTP/2: large amount of data requests leads to denial...

CentOS 8 : container-tools:rhel8 (CESA-2019:4269)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:4269 advisory. - runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc CVE-2019-16884 - podman: resolving symlink in host filesystem lea...

CentOS 8 : nginx:1.14 (CESA-2019:2799)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:2799 advisory. - HTTP/2: large amount of data requests leads to denial of service CVE-2019-9511 - HTTP/2: flood using PRIORITY frames results in excessive resource...

CentOS 8 : container-tools:1.0 (CESA-2019:4273)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:4273 advisory. - HTTP/2: flood using PING frames results in unbounded memory growth CVE-2019-9512 - HTTP/2: flood using HEADERS frames results in unbounded memory...

openSUSE Security Update : tomcat (openSUSE-2021-81)

This update for tomcat fixes the following issue : - CVE-2020-17527: Fixed a HTTP/2 request header mix-up bsc1179602. This update was imported from the SUSE:SLE-15-SP1:Update update project. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted fro...

openSUSE Security Update : tomcat (openSUSE-2021-43)

This update for tomcat fixes the following issue : - CVE-2020-17527: Fixed a HTTP/2 request header mix-up bsc1179602. This update was imported from the SUSE:SLE-15-SP2:Update update project. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted fro...

EulerOS 2.0 SP3 : golang (EulerOS-SA-2021-1073)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an...

EulerOS 2.0 SP3 : nginx (EulerOS-SA-2021-1101)

According to the versions of the nginx package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of...

Fedora 32 : 1:nodejs (2021-d5b2c18fe6)

The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-d5b2c18fe6 advisory. - Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers wi...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2021-1073)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for nginx (EulerOS-SA-2021-1101)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Update for .NET Core (January 2021)

The Microsoft .NET Core installation on the remote host is version 3.1.x 3.1.11 or 5.x prior to 5.0.2. It is, therefore, affected by a denial of service DoS vulnerability in the way Kestrel parses HTTP/2 requests. An unauthenticated, remote attacker can exploit this issue, by sending a specially...

Security Update for .NET Core SDK (January 2021)

The Microsoft .NET Core SDK installation on the remote host is version 3.1.x prior to 3.1.111, 3.1.2xx prior to 3.1.405, or 5.x prior to 5.0.102. It is, therefore, affected by a denial of service DoS vulnerability in the way Kestrel parses HTTP/2 requests. An unauthenticated, remote attacker can...

Security update for tomcat (moderate)

openSUSE Security Update: Security update for tomcat Announcement ID: openSUSE-SU-2021:0081-1 Rating: moderate References: 1179602 Cross-References: CVE-2020-17527 Affected Products: openSUSE Leap 15.1 An update that fixes one vulnerability is now available. Description: This update for tomcat...