Lucene search
K

117 matches found

RedHat Linux
RedHat Linux
added 2019/09/19 7:37 a.m.3 views

HTTP/2: 0-length headers lead to denial of service

A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially...

7.5CVSS7.1AI score0.56262EPSS
Exploits0References9
RedHat Linux
RedHat Linux
added 2019/09/17 3:16 p.m.3 views

HTTP/2: 0-length headers lead to denial of service

A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially...

7.5CVSS7.1AI score0.56262EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2019/08/20 12:0 a.m.75 views

FreeBSD : NGINX -- Multiple vulnerabilities (87679fcb-be60-11e9-9051-4c72b94353b5) (0-Length Headers Leak) (Data Dribble) (Resource Loop)

NGINX Team reports : Several security issues were identified in nginx HTTP/2 implementation which might cause excessive memory consumption and CPU usage CVE-2019-9511, CVE-2019-9513, CVE-2019-9516. The issues affect nginx compiled with the ngxhttpv2module not compiled by default if the http2 opti...

7.8CVSS7.4AI score0.82017EPSS
Exploits0References5
Node JS Blog
Node JS Blog
added 2019/08/16 12:0 a.m.65 views

August 2019 Security Releases

August 2019 Security Releases Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all...

7.8CVSS7.7AI score0.87806EPSS
Exploits1
OSV
OSV
added 2019/08/13 9:15 p.m.2 views

DEBIAN-CVE-2019-9516

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory fo...

6.5CVSS7.4AI score0.56262EPSS
Exploits0References1
Nginx
Nginx
added 2019/08/13 8:50 p.m.623 views

Excessive memory usage in HTTP/2 with zero length headers

Excessive memory usage in HTTP/2 with zero length headers Severity: low CVE-2019-9516 Not vulnerable: 1.17.3+, 1.16.1+ Vulnerable: 1.9.5-1.17.2...

7.5CVSS3.2AI score0.56262EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2019/08/13 12:0 a.m.10 views

UBUNTU-CVE-2019-9516

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory fo...

7.5CVSS7.1AI score0.56262EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2019/08/13 12:0 a.m.9 views

PT-2019-3464

Name of the Vulnerable Software and Affected Versions nginx affected versions not specified Node.js affected versions not specified SwiftNIO affected versions not specified Description The issue is related to an uncontrolled resource consumption when receiving a header with a length parameter set...

9.8CVSS9AI score0.95707EPSS
Exploits70References374
CERT
CERT
added 2019/08/13 12:0 a.m.127 views

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

Overview Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service DoS attacks. Description The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections...

7.8CVSS7.7AI score0.87806EPSS
Exploits1References6
Debian CVE
Debian CVE
added 2018/06/26 5:0 p.m.44 views

CVE-2017-7658

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x all non HTTP/1.x configurations, and 9.4.x all HTTP/1.x configurations, when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was...

9.8CVSS6.5AI score0.20985EPSS
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2018/06/17 4:56 a.m.42 views

Security Bulletin: Rational Insight - Open Source Tomcat reported in May 2014 X-Force Report

Summary Multiple security vulnerabilities exist in the Tomcat that is shipped with the Rational Insight. Vulnerability Details | Subscribe to My Notifications to be notified of important product support alerts like this. Follow this link for more information requires login with your IBM ID ---|--...

5CVSS0.1AI score0.2006EPSS
Exploits1Affected Software1
OSV
OSV
added 2017/10/18 8:29 p.m.7 views

UBUNTU-CVE-2015-5740

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers...

9.8CVSS6.8AI score0.03657EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2016/07/28 12:0 a.m.30 views

openSUSE Security Update : go (openSUSE-2016-907)

This update for go fixes the following issues : - CVE-2015-5739: 'Content Length' treated as valid header - CVE-2015-5740: Double content-length headers does not return 400 error - CVE-2015-5741: Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections Go was...

9.8CVSS6.8AI score0.09625EPSS
Exploits0References4
OSV
OSV
added 2016/04/25 2:59 p.m.2 views

DEBIAN-CVE-2015-8852

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r carriage return character in conjunction with multiple Content-Length headers in an HTTP...

7.5CVSS7.1AI score0.03524EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2016/04/25 2:59 p.m.28 views

CVE-2015-8852

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r carriage return character in conjunction with multiple Content-Length headers in an HTTP...

7.5CVSS7.1AI score0.03524EPSS
Exploits0References2
OSV
OSV
added 2016/04/25 2:59 p.m.4 views

UBUNTU-CVE-2015-8852

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r carriage return character in conjunction with multiple Content-Length headers in an HTTP...

7.5CVSS5.8AI score0.03524EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2016/04/21 12:0 a.m.4 views

PT-2016-4045 · Varnish · Varnish

Name of the Vulnerable Software and Affected Versions: Varnish versions 3.x through 3.0.6 Description: The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a r carriage return character in conjunction with...

7.5CVSS7.4AI score0.03524EPSS
Exploits0References25
Tenable Nessus
Tenable Nessus
added 2014/07/31 12:0 a.m.47 views

Ubuntu 14.04 LTS : Tomcat vulnerabilities (USN-2302-1)

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2302-1 advisory. David Jorm discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw t...

5CVSS7AI score0.2006EPSS
Exploits1References4
seebug.org
seebug.org
added 2014/07/01 12:0 a.m.41 views

Microsoft Foundation Class Library 7.0 ISAPI Buffer Overflow Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/5188/info The Microsoft Foundation Class Library is a library used to develop applications for Microsoft Windows. Some versions of the MFC include an ISAPI class, which can be used to construct applications which extend w...

7.1AI score
Exploits0
RedHat Linux
RedHat Linux
added 2014/06/10 12:34 p.m.6 views

tomcat: multiple content-length header poisoning flaws

It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. A remote...

5.8CVSS6.5AI score0.16833EPSS
Exploits2References4
Rows per page
Query Builder