google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

GHSA-PXH5-6RRC-8RJV OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server

Impact Unauthenticated denial of service. Summary When installing provider or module packages from attacker-controlled servers, the server may cause tofu initto enter an infinite loop sending garbage data to that server. Those who depend on modules or providers served from untrusted third-party...

Improper Verification of Cryptographic Signature

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to...

Incorrect Authorization

Overview symfony/http-kernel is a Symfony component that provides a structured process for converting a Request into a Response. Affected versions of this package are vulnerable to Incorrect Authorization in the router due to the improper enforcement of IsGranted, IsSignatureValid, and...

Incorrect Authorization

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to...

User Impersonation

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to User...

CVE-2026-3593

A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected...

Malicious code in svharness (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3aef9a7535c16df930fdb10e5b60773f5ba2e0a8cd102d53a4cc3da122cfd473 When the documented svharness build --baseline or svharness wizard command is run, the tool's default 'tasks' wiki mode scans and bundles the caller'...

Astra Linux - уязвимость в apache2

A carefully crafted request body can cause a buffer overflow in the modlua multipart parser r:parsebody called from Lua scripts. The Apache httpd team is not aware of an exploit for this vulnerability, but it might be possible to create one. This issue affects Apache HTTP Server 2.4.51 and earlie...

Astra Linux - уязвимость в netty

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace such as a spaceTransfer-Encoding:chunked line and a later Content-Length header. This issue exists due to an incomplete fix for CVE-2019-16869...

Astra Linux – Vulnerability in Maven

Apache Maven will no longer follow repositories that are defined in a dependency’s Project Object Model POM. This may be surprising to some users, and could lead to potential risks if a malicious actor takes control of that repository or manages to impersonate that repository. Maven has changed t...

Astra Linux - уязвимость в firefox, thunderbird

Cross-Site Tracing occurs when a server echoes a request back using the Trace method, allowing an XSS attack to access authorization headers and cookies that are inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitigate this attack, browsers imposed restrictions on fetch and...

Astra Linux - уязвимость в http-parser

Node.js versions before 10.23.1, 12.20.1, 14.15.4, and 15.5.1 allow for two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields. In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling...

Astra Linux – Vulnerability in Waitress

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and earlier behind a proxy that does not properly validate whether the incoming HTTP requests comply with the RFC7230 standard, Waitress and the frontend proxy may disagree on where one reques...

Astra Linux - уязвимость в jetty9

Jetty is a Java-based web server and servlet engine. An HTTP/2 SSL connection that is established and becomes TCP congested may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the serve...

Astra Linux - уязвимость в jetty9

In the Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that may result in the active connections and associated resources not being properly cleaned up. This can lead to a Denial of Service scenario, where there are not enough...

Astra Linux - уязвимость в curl

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. The documentation states that this option works with wolfSSL, but does not specify that it does...

Astra Linux – Vulnerability in golang-golang-x-text

In Go 1.15.4, a "index out of range" panic occurs in the language.ParseAcceptLanguage function during the parsing of the -u- extension. The language.ParseAcceptLanguage function is supposed to be able to parse an HTTP Accept-Language header...

Astra Linux - уязвимость в apache2

Apache HTTP Server versions 2.4.41 to 2.4.46 with modproxyhttp can become unstable when processing specially crafted requests that use both Content-Length and Transfer-Encoding headers. This can lead to a denial of service...