CURL-CVE-2021-22890 TLS 1.3 session ticket proxy host mix-up

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote serve...

CVE-2021-22890

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived...

UBUNTU-CVE-2021-22890

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived...

GHSA-5PHF-PP7P-VC2R Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection

Impact Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxyconfig. Only the default SSLContext is impacted. Patches urllib3 =1.26.4 has the issue resolved. urllib31.26 is not impacted due to not supporting HTTPS requests via HTTPS proxie...

curl: CVE-2021-22890: TLS 1.3 session ticket proxy host mixup

Summary: I don't think that this can be easily exploitable, but I am submitting it as a security issue for precaution. I am not looking for a bounty. Commit 549310e907e82e44c59548351d4c6ac4aaada114 enables session resumption with TLS 1.3. Curl connections maintain two SSL contexts, one for the...

PT-2021-5820 · Curl +5 · Curl +5

Name of the Vulnerable Software and Affected Versions: curl versions 7.63.0 through 7.75.0 Description: The issue is related to the incorrect handling of TLS 1.3 session tickets, which can allow a malicious HTTPS proxy to perform a man-in-the-middle MITM attack. When using an HTTPS proxy and TLS...

CVE-2021-28363

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for...

CVE-2021-28363

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for...

GHSA-QRG3-F6H6-VQ8Q Denial of Service in https-proxy-agent

Withdrawn: Duplicate of GHSA-8g7p-74h8-hg48...

Denial of Service in https-proxy-agent

Withdrawn: Duplicate of GHSA-8g7p-74h8-hg48...

HTTP/HTTPS proxy support on NetScaler based on Traffic Policies Secure Web

This article describes how to configure NetScaler to proxy the traffic from MDX apps through a Proxy server like Squid, Bluecoat. Enterprises can proxy traffic configuring simple traffic rules on NetScaler box...

Machine-In-The-Middle in https-proxy-agent

Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept...

0.8.18-p11 (=0.8.18-p12), 3scale-cm (=0.7.2) +2677 more potentially affected by unknown CVE via https-proxy-agent (>=0.3.6 <=2.2.2)

https-proxy-agent NPM version =0.3.6, =0.0.1, =1.0.1, =0.0.1, =0.1.0, =0.1.0, =2.0.0, =1.0.0, =0.1.5, =0.0.1, =0.0.7 - @angular-template/ng1-build =2.0.0-beta.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-PC5P-H8PF-MVWP...

CVE-2018-3739

A flaw was found in https-proxy-agent, prior to version 2.2.0. It was discovered https-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an...

Machine-In-The-Middle

Overview Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept...

GHSA-6C7V-2F49-8H26 Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECUREPROXYSSLHEADER and SECURESSLREDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words,...

CVE-2019-1876

A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services WAAS Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could...

Authentication flaw

A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services WAAS Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could...

Denial of Service in https-proxy-agent

Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options proxy.auth being passed to Buffer. Recommendation Update to version 2.2.0 or later...

GHSA-8G7P-74H8-HG48 Denial of Service in https-proxy-agent

Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options proxy.auth being passed to Buffer. Recommendation Update to version 2.2.0 or later...