Inconsistent Interpretation of HTTP Requests in twisted.web

The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230: 1. The Content-Length header value could have a + or - prefix. 2. Illegal characters were permitted in chunked extensions, such as the LF \n...

CVE-2022-24801 HTTP Request Smuggling in twisted.web

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing...

CVE-2022-24801 HTTP Request Smuggling in twisted.web

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing...

CVE-2022-24801

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing...

Mageia: Security Advisory (MGASA-2019-0277)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2020-0131)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[ASA-202110-6] nodejs-lts-erbium: multiple issues

Arch Linux Security Advisory ASA-202110-6 ========================================= Severity: High Date : 2021-10-21 CVE-ID : CVE-2021-22939 CVE-2021-22940 CVE-2021-22959 CVE-2021-22960 Package : nodejs-lts-erbium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2285...

Node.js -- October 2021 Security Releases

Node.js reports: HTTP Request Smuggling due to spaced in headers MediumCVE-2021-22959 The http parser accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS. HTTP Request Smuggling when parsing the body MediumCVE-2021-22960 The...

SUSE: Security Advisory (SUSE-SU-2018:0952-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2021:1313-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2021-21330: Fixed the way pure-Python HTTP parser interprets // bsc1184745...

CentOS 8 : http-parser (CESA-2020:0708)

The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2020:0708 advisory. - nodejs: HTTP request smuggling using malformed Transfer-Encoding header CVE-2019-15605 Note that Nessus has not tested for this issue but has instead relied...

CentOS 8 : http-parser (CESA-2019:3497)

The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2019:3497 advisory. - nodejs: Denial of Service with large HTTP headers CVE-2018-12121 Note that Nessus has not tested for this issue but has instead relied only on the application...

CVE-2020-27539

Heap overflow with full parsing of HTTP respose in Rostelecom CS-C2SHW 5.0.082.1. AgentUpdater service has a self-written HTTP parser and builder. HTTP parser has a heap buffer overflow OOB write. In default configuration camera parses responses only from HTTPS URLs from config file, so vulnerabl...

Heap overflow

Heap overflow with full parsing of HTTP respose in Rostelecom CS-C2SHW 5.0.082.1. AgentUpdater service has a self-written HTTP parser and builder. HTTP parser has a heap buffer overflow OOB write. In default configuration camera parses responses only from HTTPS URLs from config file, so vulnerabl...

CVE-2020-27539

CVE-2020-27539 corresponds to a heap-based overflow in Rostelecom CS-C2SHW 5.0.082.1 where the AgentUpdater component uses a self-written HTTP parser/builder. The HTTP parser may perform an out-of-bounds write on a heap buffer. However, the default configuration restricts the camera to parsing re...

Virtuozzo 7 : http-parser / http-parser-devel (VZLSA-2019-2258)

An update for http-parser is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...

NewStart CGSL CORE 5.05 / MAIN 5.05 : http-parser Vulnerability (NS-SA-2020-0119)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has http-parser packages installed that are affected by a vulnerability: - HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed CVE-2019-15605 Note that Nessus h...

CVE-2020-15811

A flaw was found in squid. Due to incorrect data validation, an HTTP Request Splitting attack against HTTP and HTTPS traffic is possible leading to cache poisoning. The highest threat from this vulnerability is to data confidentiality and integrity. Mitigation Disable the relaxed HTTP parser in...

CVE-2020-15810

A flaw was found in squid. Due to incorrect data validation, a HTTP Request Smuggling attack against HTTP and HTTPS traffic is possible leading to cache poisoning. The highest threat from this vulnerability is to data confidentiality and integrity. Mitigation Disable the relaxed HTTP parser in...

EulerOS 2.0 SP2 : http-parser (EulerOS-SA-2020-1652)

According to the versions of the http-parser package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination...