72 matches found
CVE-2026-5545 wrong reuse of HTTP Negotiate connection
libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...
GHSA-35HP-HQMV-8QG8 Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...
UBUNTU-CVE-2026-1965
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...
Hono Improper Authorization vulnerability
Improper Authorization in Hono JWT Audience Validation Hono’s JWT authentication middleware did not validate the aud Audience claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential...
EUVD-2020-12600
Malware in sbrugna...
Apache Tomcat: Request header mix-up between HTTP/2 streams
...
A week in security (March 31 – April 6)
Last week on Malwarebytes Labs: Why we’re no longer doing April Fools’ Day Intimate images from kink and LGBTQ+ dating apps left exposed online "Urgent reminder" tax scam wants to phish your Microsoft credentials "Nudify" deepfakes stored unprotected online Location, name, and photos of random ki...
Location, name, and photos of random kids shown to parents in child tracker mix up
Not one but several worried parents that tracked their children by using T-Mobile tracking devices suddenly found that they were looking at the location of random other children. And could not locate their own. T-Mobile sells a small GPS tracker called SyncUP, which can be used to track, among...
K000149857: Apache Tomcat vulnerability CVE-2024-52317
Security Advisory Description Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through...
SUSE CVE-2024-57805
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Do not release the link DMA on STOP The linkDMA should not be released on stop trigger since a stream re-start might happen without closing of the stream. This leaves a short time for other streams to...
CVE-2024-52317
A flaw was found in Apache Tomcat HTTP/2 handling. This vulnerability allows a request or response mix-up between users via incorrect recycling of request and response objects...
Apache Tomcat 10.1.0-M1 < 10.1.31 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host 9.0.0-M1 to 9.0.95, 10.1.0-M1 to 10.1.30 or 11.0.0-M1 to 11.0.0-M26. It is, therefore, affected by multiple vulnerabilities : - If Tomcat was configured to use a custom Jakarta Authentication formerly JASPIC ServerAuthContext component whi...
Apache Tomcat 9.0.0-M1 < 9.0.96 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host 9.0.0-M1 to 9.0.95, 10.1.0-M1 to 10.1.30 or 11.0.0-M1 to 11.0.0-M26. It is, therefore, affected by multiple vulnerabilities : - If Tomcat was configured to use a custom Jakarta Authentication formerly JASPIC ServerAuthContext component whi...
Apache Tomcat 11.0.0-M1 < 11.0.0 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host 9.0.0-M1 to 9.0.95, 10.1.0-M1 to 10.1.30 or 11.0.0-M1 to 11.0.0-M26. It is, therefore, affected by multiple vulnerabilities : - If Tomcat was configured to use a custom Jakarta Authentication formerly JASPIC ServerAuthContext component whi...
DEBIAN-CVE-2024-52317
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through...
CVE-2024-52317 Apache Tomcat: Request/response mix-up with HTTP/2
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through...
Apache Tomcat HTTP/2 Vulnerability (Nov 2024) - Linux
Apache Tomcat is prone to vulnerability in HTTP/2. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat"; if description...
Fixed in Apache Tomcat 11.0.0
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 9e840cca. This issue was identified by the Tomcat Security Team on 1 October 2024...
Fixed in Apache Tomcat 9.0.96
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 47307ee2. This issue was identified by the Tomcat Security Team on 1 October 2024...