381 matches found
Design/Logic Flaw
Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relie...
CVE-2024-24754 Bref Body Parsing Inconsistency in Event-Driven Functions
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content...
CVE-2024-24754 Bref Body Parsing Inconsistency in Event-Driven Functions
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content...
CVE-2024-24754
Summary: The CVE concerns Bref running PHP on AWS Lambda with the Event-Driven Function runtime. When the Lambda event is converted to a PSR-7 request, multipart form data parts are parsed into nested arrays; specifically, keys ending with an open bracket (for example key0[key1][key2][) are treat...
CVE-2024-24754 Bref Body Parsing Inconsistency in Event-Driven Functions
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content...
CVE-2024-24752 Bref Uploaded Files Not Deleted in Event-Driven Functions
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each whic...
CVE-2024-24752 Bref Uploaded Files Not Deleted in Event-Driven Functions
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each whic...
CVE-2024-24752 Bref Uploaded Files Not Deleted in Event-Driven Functions
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each whic...
CVE-2024-24752
Bref CVE-2024-24752 affects AWS Lambda deployments using Bref with the Event-Driven Function runtime and a RequestHandlerInterface. During multipart handling, uploaded parts that are files are saved to /tmp with random names starting bref_upload_ and are not deleted after the request is processed...
CVE-2024-24753 Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2
Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relie...
CVE-2024-24753
CVE-2024-24753 concerns the Bref serverless PHP runtime on AWS Lambda. When used with API Gateway v2, Bref does not correctly handle multiple-value headers: if PHP emits two headers with the same name, only the last value is retained. This can undermine security policies that rely on multiple hea...
CVE-2024-24753 Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2
Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relie...
com.amazonaws.serverless:aws-serverless-java-container-struts (>=1.9 <=1.9.3), com.jgeppert.struts2.bootstrap:struts2-bootstrap-plugin (>=5.0.0 <=5.0.2) +52 more potentially affected by CVE-2023-50164 via org.apache.struts:struts2-core (>=6.0.0 <=6.3.0.1)
org.apache.struts:struts2-core MAVEN version =6.0.0, =1.9, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =1.4.0, =1.4.1, =1.4.0, =1.4.3 and more Source cves: CVE-2023-50164 Source advisory: OSV:GHSA-2J...
Malicious code in devportal-aws-lambda (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 586c4231b2500b2299bb0a25b45ebdeaec062531b446c12f7547ab351c1b616a The OpenSSF Package Analysis project identified 'devportal-aws-lambda' @ 1.0.0 npm as malicious. It is considered malicious because: - The packa...
Malicious code in dhi-lambda-toolkit (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3351ebceada844e3c37823d1758b1dc0dde8032ecee467287317086cdc5b3d01 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2023-8323 Malicious code in dhi-lambda-toolkit (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3351ebceada844e3c37823d1758b1dc0dde8032ecee467287317086cdc5b3d01 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
lambda-tek.com Cross Site Scripting vulnerability OBB-3715257
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
lambda-tek.com Cross Site Scripting vulnerability OBB-3682950
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Risk Fact #4: Malware in your Cloud means Exploitation is underway
Qualys Blog Series – 2023 TotalCloud Security Insights by the Threat Research Unit The 2023 TotalCloud Security Insights report from the Qualys Threat Research Unit TRU provides research insights, best practices, and detailed recommendations organized by five separate Risk Facts. The insights wil...
This Week in Spring - August 1st, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! Can you believe it's already August 1, 2023??? Me either. As I write this, I'm preparing some of my contributions for SpringOne at VMWare Explore 2023, happening next month in lovely Las Vegas, NV. Have you registered yet? I'...