AZL-38473 CVE-2023-45288 affecting package prometheus-node-exporter for versions less than 1.7.0-2

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39202 CVE-2023-45288 affecting package packer for versions less than 1.10.1-2

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-38233 CVE-2023-45288 affecting package jx for versions less than 3.10.116-2

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39505 CVE-2023-45288 affecting package node-problem-detector for versions less than 0.8.17-3

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

DEBIAN-CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion...

CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood

Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of...

PT-2024-23854

Name of the Vulnerable Software and Affected Versions WordPress versions 6.4.0 through 6.4.1 Description The issue allows for code execution via the destruct magic method of the WP HTML Token class when unserializing its instances. This issue was fixed in WordPress 6.4.2 on December 6th, 2023...

The vulnerability of the Apache Tomcat application server, related to insufficient input validation, allows attackers to cause service failures.

The vulnerability of the Apache Tomcat application server is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to cause service failures through specially crafted HTTP/2 requests...

Apache Traffic Server 输入验证错误漏洞

Apache Traffic Server ATS is the United States Apache Apache Foundation's set of scalable HTTP proxy and caching server. Apache Traffic Server suffers from an input validation error vulnerability that stems from continuation frame flooding in the HTTP/2 stack, which can be exploited by an attacke...

PT-2024-2623 · Tempesta · Tempesta

Name of the Vulnerable Software and Affected Versions: Tempesta affected versions not specified Description: The issue is related to a firewall vulnerability in the implementation of the HTTP/2 protocol, specifically concerning the handling of CONTINUATION frames. This can lead to an uncontrolled...

python-aiohttp: numerous issues in HTTP parser with header parsing

An HTTP request smuggling vulnerability was found in aiohttp. Numerous issues with HTTP parsing can allow an attacker to smuggle HTTP requests...

UBUNTU-CVE-2023-45288

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

Mozilla: Improper handling of html and body tags enabled CSP nonce leakage

The Mozilla Foundation Security Advisory describes this flaw as: Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies...

Mozilla: Improper handling of html and body tags enabled CSP nonce leakage

The Mozilla Foundation Security Advisory describes this flaw as: Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies...

SUSE CVE-2024-2631

Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium security severity: Low...

The vulnerability of the aiohttp HTTP client, related to deficiencies in handling HTTP request headers, allows attackers to send hidden HTTP requests (HTTP Request Smuggling attack).

The vulnerability of the aiohttp HTTP client is related to deficiencies in the handling of HTTP request headers. Exploiting this vulnerability allows an attacker to send hidden HTTP requests remotely HTTP Request Smuggling attack...

PT-2024-3277 · Google +4 · Google Chrome +5

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 123.0.6312.58 Description: The issue is related to an object lifecycle problem in the V8 JavaScript and WebAssembly engine, allowing a remote attacker to potentially exploit object corruption via a crafted HTML...

BMC Control-M Security Vulnerability

BMC Control-M is an application from BMC Corporation. Simplifies application and data workflow orchestration locally or as a service. A security vulnerability exists in BMC Control-M branches versions 9.0.20 and 9.0.21, which originates from a vulnerability that allows a logged-in user to...

The vulnerability of the Captive Portal authentication system for operating systems FortiOS and proxy servers, designed to protect against Internet attacks by FortiProxy, allows a perpetrator to execute arbitrary codes or commands.

The vulnerability of Captive Portal for FortiOS operating systems and proxy servers, designed to protect against Internet attacks using FortiProxy, is related to buffer overflow in the stack. Exploiting this vulnerability allows a malicious actor to execute arbitrary code or commands through...

CVE-2023-38536

HTML injection in OpenText™ Exceed Turbo X affecting version 12.5.1. The vulnerability could result in Cross site scripting...