EUVD-2019-2135

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

ALPINE-CVE-2019-9512

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU,...

ALPINE-CVE-2019-9515

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost...

ALPINE-CVE-2019-9514

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RSTSTREAM frames from the peer. Depending on how the peer queues the...

UBUNTU-CVE-2019-9516

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory fo...

PT-2019-2979 · Alt Linux +7 · Alt Linux +7

Name of the Vulnerable Software and Affected Versions: HTTP/2 implementations affected versions not specified Description: The issue is related to a flood of empty frames in HTTP/2 implementations, which can lead to a denial of service. An attacker sends a stream of frames with an empty payload a...

UBUNTU-CVE-2019-9515

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost...

Cisco Firepower Threat Defense Policy Bypass Vulnerability

Cisco Firepower Threat Defense FTD is a suite of unified software from the U.S. company Cisco Cisco that provides next-generation firewall services. A policy bypass vulnerability exists in the Secure Sockets Layer SSL/Transport Layer Security TLS protocol inspection engine in Cisco FTD versions...

Cisco Small Business 220 Series Smart Switches Input Validation Error Vulnerability

Cisco Small Business 220 Series Smart Switches is a small smart switch device from Cisco USA. An input validation error vulnerability exists in Cisco Small Business 220 Series Smart Switches. An attacker can exploit this vulnerability by sending a malicious HTTP or HTTPS request to execute...

The vulnerability of the Outside In Filters component within the Oracle Outside In Technology software suite for developing software applications. This component is part of the Oracle Fusion Middleware software platform. It allows unauthorized access to protected data or causes partial service interruption for attackers.

The vulnerability of the Outside In Filters component within the Oracle Outside In Technology software suite, which is part of the Oracle Fusion Middleware software platform, is related to deficiencies in access control. Exploiting this vulnerability could allow an attacker to gain unauthorized...

The vulnerability of the Outside In Filters component within the Oracle Outside In Technology software suite for developing software applications. This component is part of the Oracle Fusion Middleware software platform. It allows unauthorized access to protected data or causes partial service interruption for attackers.

The vulnerability of the Outside In Filters component within the Oracle Outside In Technology software suite, which is part of the Oracle Fusion Middleware software platform, is related to deficiencies in access control. Exploiting this vulnerability could allow an attacker to gain unauthorized...

PYSEC-2019-11

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars and words methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability i...

PYSEC-2019-12

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...

MikroTik RouterOS Denial of Service Vulnerability (CNVD-2019-25984)

MikroTik RouterOS is a Linux-based router operating system developed by the Latvian company MikroTik. The system can be deployed in a PC to enable it to provide router functionality. A security vulnerability exists in Mikrotik RouterOS versions prior to 6.44.5. A remote attacker can exploit the...

MikroTik RouterOS Denial of Service Vulnerability (CNVD-2019-25988)

MikroTik RouterOS is a Linux-based router operating system developed by the Latvian company MikroTik. The system can be deployed in a PC to enable it to provide router functionality. A security vulnerability exists in Mikrotik RouterOS versions prior to 6.44.5. An attacker can exploit the...

The vulnerability in the Google Chrome web browser, related to memory usage after deallocation, allows a malicious actor to execute arbitrary code in the context of the current user or to cause a denial-of-service attack.

The vulnerability in the Google Chrome web browser relates to the use of memory after deallocation. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code in the context of the current user, or to cause a denial-of-service attack through a specially created HTML pag...

The vulnerability of the Message Display component of the Oracle Email Center messaging software in the Oracle E-Business Suite system, which is used for automating business operations. This vulnerability allows a malicious individual to gain access to modify, add, or delete data.

The vulnerability of the Message Display component of the Oracle Email Center messaging software in the Oracle E-Business Suite system, a business automation system, is related to lack of access control. Exploiting this vulnerability could allow an attacker, operating remotely, to gain access to...

The vulnerability of the sub-component of the CRM User Management Framework within the Oracle Common Applications component of the Oracle E-Business Suite allows a perpetrator to gain access to modify, add, or delete data.

The vulnerability of the CRM User Management Framework component of the Oracle Common Applications system, part of the Oracle E-Business Suite, is related to deficiencies in access control. Exploiting this vulnerability could allow an attacker to gain access to modify, add, or delete data using t...

CVE-2019-2824

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: WLS Core Components. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to...

DEBIAN-CVE-2019-11713

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR 60.8, Firefox 68, and Thunderbird 60.8...