CVE-2019-20866

An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled...

Security Bulletin: Vulnerability in Go programming language affects IBM Spectrum Protect Server (CVE-2019-16276)

Summary The Go programming language could allow a remote attacker to bypass security restrictions which affects the IBM Spectrum Protect Server. Vulnerability Details CVEID: CVE-2019-16276 DESCRIPTION: Golang could allow a remote attacker to bypass security restrictions, caused by improper...

SUSE-SU-2020:1572-1 Security update for java-11-openjdk

This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 April 2020 CPU, bsc1169511. Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service bsc1169511. - CVE-2020-2755: Fixed an...

Security update for axel (moderate)

openSUSE Security Update: Security update for axel Announcement ID: openSUSE-SU-2020:0778-1 Rating: moderate References: 1172159 Cross-References: CVE-2020-13614 Affected Products: openSUSE Leap 15.1 An update that fixes one vulnerability is now available. Description: This update for axel fixes...

openSUSE Security Update : axel (openSUSE-2020-778)

This update for axel fixes the following issues : axel was updated to 2.17.8 : - CVE-2020-13614: SSL Certificate Hostnames were not verified boo1172159 - Replaced progressbar line clearing with terminal control sequence - Fixed parsing of Content-Disposition HTTP header - Fixed User-Agent HTTP...

OPENSUSE-SU-2020:0778-1 Security update for axel

This update for axel fixes the following issues: axel was updated to 2.17.8: CVE-2020-13614: SSL Certificate Hostnames were not verified boo1172159 Replaced progressbar line clearing with terminal control sequence Fixed parsing of Content-Disposition HTTP header Fixed User-Agent HTTP header never...

openSUSE Security Update : java-11-openjdk (openSUSE-2020-757)

This update for java-11-openjdk fixes the following issues : Java was updated to jdk-11.0.7+10 April 2020 CPU, bsc1169511. Security issues fixed : - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service bsc1169511. - CVE-2020-2755: Fixed a...

curl: Poll loop/hang on incomplete HTTP header

Summary: When an incomplete server header is missing its value, the curl client will receive the packet but hang while parsing it. Examples of vulnerable server headers: Location, Content-Range and Connection. Adding the --max-timeoption will terminate the request as intended. Steps To Reproduce:...

Security update for java-11-openjdk (important)

openSUSE Security Update: Security update for java-11-openjdk Announcement ID: openSUSE-SU-2020:0757-1 Rating: important References: 1167462 1169511 Cross-References: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 CVE-2020-2800...

SUSE-SU-2020:1511-1 Security update for java-11-openjdk

This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 April 2020 CPU, bsc1169511. Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service bsc1169511. - CVE-2020-2755: Fixed an...

Debian DLA-2209-1 : tomcat8 security update

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a working AJP configuration. The option secretRequired defaults to true now. You should define a secret in your server.xml or you can...

ceph14 -- HTTP header injection via CORS ExposeHeader tag

Red Hat bugzilla reports: A flaw was found in the Red Hat Ceph Storage RadosGW Ceph Object Gateway. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection ...

Design/Logic Flaw

The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header...

CVE-2020-13485

The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header...

The vulnerability of the NIO-infrastructure client/server architecture for Java Netty, related to the inconsistent interpretation of http requests, allows attackers to compromise data integrity.

The vulnerability of the NIO-server/client infrastructure for Java Netty is related to improper handling of double colon gaps in HTTP headers. Exploiting this vulnerability allows a remote attacker to compromise data integrity...

Cisco Umbrella Carriage Return Line Feed Injection Vulnerability

A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed CRLF injection attack against a user of an affected service. The vulnerability is due to insufficient validation of user input. An attacker could exploit this...

Security Bulletin: Multiple vulnerabilities in Node.js affects IBM App Connect Enterprise V11

Summary IBM App Connect Enterprise V11 ship with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below. Vulnerability Details CVEID: CVE-2019-15606 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused ...

CVE-2020-12477

The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function...

Pivotal RabbitMQ X-Reason Denial of Service (CVE-2019-11287)

A denial-of-service vulnerability exists in Pivotal RabbitMQ. The vulnerability is due to indefinite memory consumption when processing an X-Reason HTTP header containing a crafted Erlang format string...

Medium: python-virtualenv

Issue Overview: urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in...