openSUSE: Security Advisory for python (openSUSE-SU-2019:2393-1)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2020-5846

The CVE-2020-5846 issue affects Ahsay Cloud Backup Suite 8.3.0.30. It describes an insecure file upload via PUT /obs/obm7/file/upload, where a base64-encoded pathname is supplied in the X-RSW-custom-encode-path header and the file contents in the request body. This allows uploading a file into an...

F5 Networks BIG-IP : TMM vulnerability (K23860356)

iRules performing HTTP header manipulation may cause a denial-of-serviceDoS when processing traffic handled by a virtual server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs.CVE-2019-6660 Impact The affected BIG-IP system's Traffic...

CVE-2019-19337

A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server...

Design/Logic Flaw

A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server...

CVE-2019-19337

A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph RADOS Gateway daemon handles S3 requests. An authenticated attacker can abuse this flaw by causing a remote denial of service by sending a specially crafted HTTP Content-Length header to the Ceph RADOS Gateway server...

CVE-2019-16786

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with t...

CVE-2019-16786

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with t...

CVE-2019-18802

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header such as Host with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass...

CVE-2019-18802

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header such as Host with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass...

Design/Logic Flaw

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header such as Host with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass...

CVE-2019-18802

An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header such as Host with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass...

CVE-2019-18802

CVE-2019-18802 affects Envoy 1.12.0. An untrusted remote client can send an HTTP header (e.g., Host) with trailing whitespace, causing Envoy to treat header-value and header-value as different strings and potentially bypass Host matchers. The linked records (including openSUSE/SUSE advisories) as...

CVE-2019-19703

In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location...

GHSA-35FR-H7JR-HH86 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. Impact 1. Cross-User Defacement 2. Cache...

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. Impact 1. Cross-User Defacement 2. Cache...

CVE-2019-19597

D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAPAUTH HTTP header...

Remote code execution

D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAPAUTH HTTP header...

CVE-2019-19597

CVE-2019-19597 affects D-Link DAP-1860 devices prior to v1.04b03 Beta. The issue allows arbitrary remote code execution as root without authentication via shell metacharacters within the HNAP_AUTH HTTP header, indicating a remote command execution vulnerability in the HNAP handler. Impact is unre...

USN-4213-1 squid, squid3 vulnerabilities

Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote attacker could possibly use this issue to bypass access checks and access restricted servers. This issue was only addressed in Ubuntu 19.04 and Ubuntu 19.10. CVE-2019-12523 Jeriko One...