SUSE CVE-2023-5824

A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk...

SUSE: Security Advisory (SUSE-SU-2023:4210-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Snowplow: Unauthorised ██████████ Auth via Token Leakage & HTTP Header Injection

Summary We've identified that your Email Filtering mechanism is misconfigured in the way it visits suspicious links. This behavior is dangerous, as data exfiltration is possible when a 3rd party service sends an incoming email containing sensitive data. A great example would be a reset password...

Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection

The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgrade...

Squid DoS Vulnerability (GHSA-h5x6-w8mv-xfpr, SQUID-2024:2)

Squid is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:squid-cache:squid";...

golang: net/http: insufficient sanitization of Host header

A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacke...

CVE-2018-25091

A flaw was found in the urllib3 package. Affected versions of this package are vulnerable to information exposure through sent data when the authorization HTTP header is not removed during a cross-origin redirect. An attacker can expose credentials in the authorization header to unintended hosts ...

Authorization Header forwarded on redirect

urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this...

Security Bulletin: Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products.

Summary There are multiple Security vulnerabilities affecting IBM WebSphere Liberty have been fixed in the IBM Security Verify Access ISVA Appliance and Container images. Vulnerability Details CVEID:CVE-2022-22476 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and...

CVE-2023-30803

The CVE-2023-30803 entry concerns the Sangfor Next-Gen Application Firewall (NGAF) version NGAF8.0.17. The vulnerability is an authentication bypass where a remote, unauthenticated attacker can bypass login and gain access to administrative functionality by sending HTTP requests with a crafted Y-...

CVE-2023-30803 Sangfor Next-Gen Application Firewall Authentication Bypass

The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header...

Fedora 38 : rust-axum / rust-tokio-tungstenite / rust-tungstenite / rust-warp (2023-9c4142423a)

The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-9c4142423a advisory. - Update the axum crate to version 0.6.20. - Update the tokio-tungstenite crate to version 0.20.1. - Update the tungstenite crate to version 0.20.1. - Port...

Security Bulletin: Operations Dashboard is vulnerable to header injection due to Golang Go

Summary Operations Dashboard is vulnerable to header injection due to Go CVE-2023-29406 with details below. Vulnerability Details CVEID:CVE-2023-29406 DESCRIPTION: Golang Go is vulnerable to HTTP header injection, caused by improper contents validation of Host header by the HTTP/1 client. By...

Fedora 37 : rust-axum / rust-tokio-tungstenite / rust-tungstenite / rust-warp (2023-e72bf7b92e)

The remote Fedora 37 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-e72bf7b92e advisory. - Update the axum crate to version 0.6.20. - Update the tokio-tungstenite crate to version 0.20.1. - Update the tungstenite crate to version 0.20.1. - Port...

Debian: Security Advisory (DSA-5507-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2023:3823-1 Security update for curl

This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. bsc1215026...

Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amoun...

RUSTSEC-2023-0065 Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amoun...

Important: golang

Issue Overview: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. CVE-2023-24532 HTTP and MIME header...

Important: ruby

Issue Overview: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '' character anywhere in the...