SUSE CVE-2019-15606

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons...

SUSE CVE-2020-1935

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse...

SUSE CVE-2021-33620

Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service affecting availability to all clients via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server...

SUSE CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

SUSE SLES15 Security Update : haproxy (SUSE-SU-2023:0413-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0413-1 advisory. - An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an...

SUSE SLES15 Security Update : haproxy (SUSE-SU-2023:0412-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0412-1 advisory. - An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an...

Security Bulletin: IBM CICS TX Standard is vulnerable to HTTP Header injection (CVE-2022-34306)

Summary IBM CICS TX Standard could allow a remote attacker to invoke cross-site scripting, cache poisoning or session hijacking attacks on a vulnerable system. The fix removes this vulnerability CVE-2022-34306 from IBM CICS TX Standard. Vulnerability Details CVEID:CVE-2022-34306 DESCRIPTION: IBM...

Security Bulletin: An HTTP header injection vulnerability in IBM WebSphere Application Server Liberty (CCVE-2022-34165) affects IBM CICS TX Standard

Summary An HTTP header injection vulnerability exists in IBM WebSphere Application Server Liberty used by IBM CICS TX Standard. IBM CICS TX Standard has addressed the vulnerability CCVE-2022-34165. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0,...

Security Bulletin: IBM CICS TX Advanced is vulnerable to HTTP header injection (CVE-2022-34163).

Summary IBM CICS TX could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. The fix removes this vulnerability CVE-2022-34163 from IBM CICS TX Advanced. Vulnerability Details CVEID:CVE-2022-34163...

Security Bulletin: IBM CICS TX Advanced is vulnerable to HTTP header injection (CVE-2022-34306)

Summary IBM CICS TX Advanced could allow an attacker to mount a cros-site scripting, cache poisoning or session hijacking attack on a vulnerable system. The fix removes this vulnerability CVE-2022-34306 from IBM CICS TX Advanced. Vulnerability Details CVEID:CVE-2022-34306 DESCRIPTION: IBM CICS TX...

CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some...

CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory. - Grafana is an open source observability and data visualization platform. Versions prior to 9.1...

Authorization

DataHub is an open-source metadata platform. When not using authentication for the metadata service, which is the default configuration, the Metadata service GMS will use the X-DataHub-Actor HTTP header to infer the user the frontend is sending the request on behalf of. When the backends retrieve...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165)

Summary IBM Sterling B2B Integrator has addressed http header injection security vulnerability in IBM WebSphere Application Server shipped with the product. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Applicatio...

Security Bulletin: IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165)

Summary IBM MQ Appliance has resolved an HTTP header injection vulnerability. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header...

CVE-2023-22795

A regular expression based DoS vulnerability in Action Dispatch 6.1.7.1 and 7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This...

Design/Logic Flaw

A regular expression based DoS vulnerability in Action Dispatch 6.1.7.1 and 7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This...

Fedora 37 : golang-github-google-dap (2023-8ecc0e487e)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-8ecc0e487e advisory. Update go-dap to 0.7.0, also fix CVE-2022-41717 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

Cross site scripting

IBM Sterling Secure Proxy 6.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM...