JVN#93667442: Gitlab vulnerable to server-side request forgery

Gitlab contains a server-side request forgery vulnerability CWE-918 through the Project Import feature. Impact The vulnerability allows an attacker to make arbitrary HTTP/HTTPS or git requests inside a GitLab instance's network. Solution Update the software Update the software to the latest versi...

Cloudflare Thwarted Largest Ever HTTPS DDoS Attack

By Deeba Ahmed The DDoS attack originated from 121 countries and was powered by a small botnet of only 5,067 hacked… This is a post from HackRead.com Read the original post: Cloudflare Thwarted Largest Ever HTTPS DDoS Attack...

Record breaking HTTPS DDoS attack

Last week, Cloudflare blocked the largest HTTPS DDoS attack on record. The attack amassed some 26 million requests per second rps. The previous record for a HTTPS DDoS attack was 15.3 million rps. The attack targeted an unnamed Cloudflare customer and originated mostly from Cloud Service Provider...

Important: Red Hat Security Advisory: cups security and bug fix update

An update for cups is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

cups security and bug fix update

An update is available for cups. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The Common UNIX Printing System CUPS provides a portable printing layer for Linu...

RLSA-2022:5056 Important: cups security and bug fix update

The Common UNIX Printing System CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fixes: cups: authorization bypass when using "local" authorization CVE-2022-26691 For more details about the security issues, including the impact, a CVSS score,...

Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second

Cloudflare on Tuesday disclosed that it had acted to prevent a record-setting 26 million request per second RPS distributed denial-of-service DDoS attack last week, making it the largest HTTPS DDoS attack detected to date. The web performance and security company said the attack was directed...

Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2021-22876 and CVE-2021-22890)

Summary There are vulnerabilities in Curl that affect PowerSC. Vulnerability Details CVEID: CVE-2021-22876 DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the failure to strip off user credentials from the URL when automatically populating the...

About the security content of Apple Music 3.9.10 for Android

About the security content of Apple Music 3.9.10 for Android This document describes the security content of Apple Music 3.9.10 for Android. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred...

confluencePot - Simple Honeypot For Atlassian Confluence (CVE-2022-26134)

ConfluencePot is a simple honeypot for the Atlassian Confluence unauthenticated and remote OGNL injection vulnerability CVE-2022-26134. About the vulnerability You can find the official advisory by Atlassian to this vulerability here. For details about the inner workings and exploits in the wild...

DEBIAN-CVE-2022-31043

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This ...

UBUNTU-CVE-2022-31043

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This ...

GHSA-W248-FFJ2-4V5Q Fix failure to strip Authorization header on HTTP downgrade

Impact Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the same as to how we don't forward on the heade...

Failure to strip the Cookie header on change in host or HTTP downgrade

Impact Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward...

PT-2022-3238 · Guzzle +1 · Guzzle +1

Name of the Vulnerable Software and Affected Versions: Guzzle versions prior to 6.5.7 Guzzle versions prior to 7.4.4 Description: The issue is related to the handling of Authorization headers in requests. When a request is made using the https scheme to a server that responds with a redirect to a...

nodejs: Improper handling of URI Subject Alternative Names

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...

nodejs: Improper handling of URI Subject Alternative Names

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

AZL-9891 CVE-2022-30115 affecting package curl for versions less than 7.83.1-1

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...