Lucene search
K

123 matches found

Oracle linux
Oracle linux
added 2023/11/03 12:0 a.m.34 views

squid security update

7:5.5-5.el92.1 - Improve HTTP chunked encoding compliance CVE-2023-46846 - Fix stack buffer overflow when parsing Digest Authorization CVE-2023-46847 - Fix userinfo percent-encoding CVE-2023-46848...

7.9AI score0.85944EPSS
Exploits0
Prion
Prion
added 2023/07/05 9:15 p.m.20 views

Format string

Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafte...

2.4CVSS5.3AI score0.00368EPSS
Exploits1References2Affected Software2
SUSE CVE
SUSE CVE
added 2023/02/15 5:29 a.m.2 views

SUSE CVE-2014-2525

Heap-based buffer overflow in the yamlparserscanuriescapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file...

6.8CVSS8.2AI score0.09264EPSS
Exploits2References7
SUSE CVE
SUSE CVE
added 2023/02/15 4:56 a.m.3 views

SUSE CVE-2016-8622

The URL percent-encoding decode function in libcurl before 7.51.0 is called curleasyunescape. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get...

9.8CVSS9.6AI score0.0467EPSS
Exploits0References25
SUSE CVE
SUSE CVE
added 2023/02/15 3:44 a.m.7 views

SUSE CVE-2021-28164

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This ca...

5.9CVSS8.5AI score0.82371EPSS
Exploits7References6
SUSE CVE
SUSE CVE
added 2023/02/15 3:26 a.m.2 views

SUSE CVE-2022-27780

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

6.5CVSS8.8AI score0.02187EPSS
Exploits1References3
Microsoft CVE
Microsoft CVE
added 2022/06/15 7:0 a.m.6 views

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL making it a *different* URL usingthe wrong host name when it is later retrieved.For example a URL like `http://example.com%2F127.0.0.1/` would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters checks and more.

...

7.5CVSS6.6AI score0.02187EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2022/06/03 5:15 a.m.2 views

CVE-2022-32265

qDecoder before 12.1.0 does not ensure that the percent character is followed by two hex digits for URL decoding...

5.3CVSS5.3AI score0.01166EPSS
Exploits0References4
OSV
OSV
added 2022/06/02 2:15 p.m.5 views

ALPINE-CVE-2022-27780

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

7.5CVSS6.9AI score0.02187EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2022/06/02 2:15 p.m.4 views

CVE-2022-27780

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

7.5CVSS5.9AI score0.02187EPSS
Exploits1References4
OSV
OSV
added 2022/06/02 2:15 p.m.2 views

DEBIAN-CVE-2022-27780

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

7.5CVSS6.6AI score0.02187EPSS
Exploits1References1
BDU FSTEC
BDU FSTEC
added 2022/05/30 12:0 a.m.6 views

The vulnerability of the cURL command-line utility, related to errors in URL encoding, allows a hacker to redirect users to another URL address.

The vulnerability of the cURL command-line utility relates to the replacement of the “%” symbol with “/” when encoding URL addresses. Exploiting this vulnerability can allow a remote attacker to redirect users to a different URL address...

5.3CVSS6.8AI score0.02187EPSS
Exploits1References11Affected Software4
Redos
Redos
added 2022/05/24 12:0 a.m.5 views

ROS-20220524-21

The cURL command-line utility vulnerability is related to a bug in the HSTS implementation that could allow curl to continue using the HTTP protocol instead of HTTPS if the hostname in the specified URL used an endpoint but did not use it when building the HSTS cache. Exploitation of the...

7.5CVSS7.1AI score0.02596EPSS
Exploits5
RedHat Linux
RedHat Linux
added 2021/11/23 10:34 a.m.3 views

jetty: Ambiguous paths can access WEB-INF

In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application...

5.3CVSS7.4AI score0.82371EPSS
Exploits7References5
CNNVD
CNNVD
added 2021/04/01 12:0 a.m.7 views

Eclipse Jetty 安全漏洞

Eclipse Jetty is the Eclipse Foundation of an open source , Java-based Web server and Java Servlet container . A security vulnerability exists in Eclipse Jetty versions 9.4.37.v20210219 through 9.4.38.v20210224, which stems from a default conformance mode that allows requests with URIs containing...

7.8CVSS8AI score0.82371EPSS
Exploits9References56
OSV
OSV
added 2020/07/27 12:15 p.m.3 views

DEBIAN-CVE-2020-7694

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

7.5CVSS7.3AI score0.01345EPSS
Exploits1References1
Snyk
Snyk
added 2020/07/10 9:29 a.m.2 views

Log Injection

Overview uvicorn is a lightning-fast ASGI server. Affected versions of this package are vulnerable to Log Injection. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its...

7.5CVSS6.8AI score0.01345EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2020/07/01 12:0 a.m.2 views

PT-2020-4159 · Microsoft +3 · Asp.Net Core +3

Name of the Vulnerable Software and Affected Versions: ASP.NET Core affected versions not specified Description: A security feature bypass issue exists in the way ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings, which could allow a malicious...

7.8CVSS7.5AI score0.06624EPSS
Exploits0References30
Snyk
Snyk
added 2020/06/16 7:49 a.m.5 views

Cross-site Request Forgery (CSRF)

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

7.5CVSS7AI score0.02938EPSS
Exploits1References2
OSV
OSV
added 2019/09/17 9:15 p.m.1 views

DEBIAN-CVE-2019-16393

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character...

6.1CVSS7AI score0.011EPSS
Exploits0References1
Rows per page
Query Builder