CVE-2019-9900

Technical details about CVE-2019-9900 are not provided in the connected documents. The initial description notes an issue in Envoy 1.9.0 and earlier with HTTP header parsing, but no public details are included here; monitor for updates.

undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value...

istio/envoy: Authorization bypass via null characters injection in HTTP/1.x

A flaw was found in Envoy version 1.9.0 and older, where Envoy does not reject embedded zero characters NUL, ASCII 0x0 when processing HTTP/1.x header values. This flaw allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules,...

CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

Crlf injection

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

PSF-2019-11 HTTP Header Injection (follow-up of CVE-2016-5699)

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

Xerxes - DoS Tool Enhanced

Xerxes dos tool enhanced with many features for stress testing. Features Xerxes has many features, some of these features are: TLS Support HTTP header randomization Useragent randomization Multiprocessing support Multiple Attack vectors etc... Not only that but also we are aggressively developing...

Debian DLA-1720-1 : liblivemedia security update

It was discovered that liblivemedia, the LIVE555 RTSP server library, is vulnerable to an invalid memory access when processing the Authorization header field. Remote attackers could leverage this vulnerability to possibly trigger code execution or denial of service OOB access and application cra...

[SECURITY] [DLA 1720-1] liblivemedia security update

Package : liblivemedia Version : 2014.01.13-1+deb8u3 CVE ID : CVE-2019-9215 Debian Bug : 924655 It was discovered that liblivemedia, the LIVE555 RTSP server library, is vulnerable to an invalid memory access when processing the Authorization header field. Remote attackers could leverage this...

CVE-2018-19510

subscriber.php in Webgalamb through 7.0 is vulnerable to SQL injection via the Client-IP HTTP request header...

CRLF Injection

net/http and net/url in github.com/golang/go are vulnerable to CRLF injection. It does not prevent a HTTP header manipulation with the ‘\r\n sequence in it, allowing a remote attacker to inject arbitrary response headers or body content via the HTTP header...

CVE-2018-1658

IBM Jazz Foundation IBM Rational Collaborative Lifecycle Management 5.0 through 6.0.6 is vulnerable to HTTP header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrar...

Cross site scripting

IBM Jazz Foundation IBM Rational Collaborative Lifecycle Management 5.0 through 6.0.6 is vulnerable to HTTP header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrar...

CVE-2018-1658

IBM Jazz Foundation IBM Rational Collaborative Lifecycle Management 5.0 through 6.0.6 is vulnerable to HTTP header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrar...

CVE-2018-1658

CVE-2018-1658 affects IBM Jazz Foundation used by IBM CLM and related Rational products (CLM, RDNG, RELM, RTC, RQM, Rhapsody DM, RSA DM) 5.0–6.0.6. Root cause: HTTP header injection due to input validation issues in IBM Jazz Foundation. Impact: remote attacker can persuade a user to visit a craft...

CVE-2018-1658

IBM Jazz Foundation IBM Rational Collaborative Lifecycle Management 5.0 through 6.0.6 is vulnerable to HTTP header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrar...

CVE-2019-9741

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command...