Security update for tomcat

This update for tomcat fixes the following issues: CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload bsc1246388 CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability bsc1246318 Patch Instructions: To install...

The vulnerability of the Device Admin App operating system ctrlX OS allows a perpetrator to select user account names.

The vulnerability of the Device Admin App on the ctrlX OS involves unlimited distribution of resources. Exploiting this vulnerability allows a malicious actor to select user account names by sending specially crafted HTTP requests remotely...

jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGSMAXHEADERLISTSIZE parameter...

Bosch Rexroth ctrlX OS 安全漏洞

Bosch Rexroth ctrlX OS is a Linux-based real-time operating system from Bosch Rexroth, Germany, designed as an open control platform for industrial automation equipment. A security vulnerability exists in Bosch Rexroth ctrlX OS that originates from a specially crafted HTTP request in the web...

WebServer 注入漏洞

WebServer is a C++ Linux WebServer server by MARK Individual Developers. An injection vulnerability exists in WebServer version 1.0, which originates from SQL injection due to manipulation of username/password parameters by the Login component in the file code/http/httprequest.cpp...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttlin...

CLSA-2025-1742319076 Fix CVE(s): CVE-2023-44487

SECURITY UPDATE: The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly - debian/patches/CVE-2023-44487.patch: HTTP/2 - per-iteration stream handling limit. - CVE-2023-44487...

Astra Linux – Vulnerability in Apache2

Servicing WebSocket protocol upgrades over an HTTP/2 connection may lead to a Null Pointer dereference, causing the server process to crash and degrading performance...

The vulnerability of the microprogrammed software of the multi-environmental electrical voltage measuring instrument PowerLogic HDPM6000, related to bypassing authentication by using a user-controlled key, allows intruders to escalate their privileges.

The vulnerability of the microprogrammed software of the multi-environmental electrical voltage measuring instrument PowerLogic HDPM6000 lies in the ability to bypass authentication by using a user-controlled key. Exploiting this vulnerability allows an attacker to enhance their privileges by...

waitress: python-waitress: request processing race condition in HTTP pipelining with invalid first request

A flaw was found in the Waitress WSGI server for Python. A remote client can send a request that is exactly recvbytes, which defaults to 8192 long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled default, Waitress won't read any more requests, and when th...

The vulnerability of the ccmdebug_m() function in the microprogramming software for the Annke Crater 2 (F300) camera allows a intruder to execute arbitrary commands.

The vulnerability of the ccmdebugm function in the Annke Crater 2 F300 IP camera software lies in the lack of measures taken to neutralize special elements used in the operating system commands. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands by sending a...

Important: perl-App-cpanminus

Issue Overview: The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers. CVE-2024-45321 Affected Packages: perl-App-cpanminus Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section...

CVE-2024-30124

HCL Sametime is impacted by insecure services in-use on the UIM client by default. An unused legacy REST service was enabled by default using the HTTP protocol. An attacker could potentially use this service endpoint maliciously...

The vulnerability of the Site Hierarchy Flows component of the Oracle Site Hub data storage and management system, a part of the Oracle E-Business Suite, allows an attacker to access, modify, add, and delete data.

The vulnerability of the Site Hierarchy Flows component of the Oracle Site Hub data storage and management system, a part of the Oracle E-Business Suite automation system for enterprise activities, is related to authentication errors. Exploiting this vulnerability could allow an attacker to gain...

PT-2024-39302 · Circutor · Circutor Q-Smt

Name of the Vulnerable Software and Affected Versions: CIRCUTOR Q-SMT version 1.0.4 Description: An attacker with access to the network where the CIRCUTOR Q-SMT is located could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol,...

twisted.web has disordered HTTP pipeline response

...

Cisco Small Business SPA300 Series IP Phones和Cisco Small Business SPA500 Series IP Phones 安全漏洞

Cisco Small Business SPA500 Series IP Phones and Cisco Small Business SPA300 Series IP Phones are both products of Cisco, Inc.Cisco Small Business SPA500 Series IP Phones are an SPA500 Series IP Phone. The Cisco Small Business SPA500 Series IP Phones are SPA500 Series IP Phones.The Cisco Small...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests in the Kestrel server. An attacker can execute arbitrary code by sending specially crafted HTTP/3 requests that exploit the data corruption issue. Remediation Upgrade...

golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service DoS attack...

eap-galleon: custom provisioning creates unsecured http-invoker

An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server...