curl: PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary

Summary After a Digest-authenticated HTTP proxy transfer, changing only CURLOPTPREPROXY on the same libcurl easy handle does not clear stale proxy Digest/auth state. If the new SOCKS pre-proxy resolves the same HTTP proxy hostname to a different proxy endpoint, the second proxy receives a...

Astra Linux - уязвимость в twisted

Twisted is an event-based framework for internet applications, compatible with Python 3.6+. Before version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than allowed by RFC 7230. This non-conformant parsin...

CVE-2025-65328

CVE-2025-65328 affects Mega-Fence (webgate-lib.*) 25.1.914 and earlier. The component trusts the first value of the X-Forwarded-For header as the client IP without validating a trusted proxy chain, enabling an attacker to spoof the client IP via XFF in remote requests. This spoofed IP can propaga...

EUVD-2026-0812

Mega-Fence webgate-lib. 25.1.914 and prior trusts the first value of the X-Forwarded-For XFF header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant...

EUVD-2022-4425

Malicious code in bioql PyPI...

SUSE CVE-2016-8743

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-en...

Injection in Apache NiFi

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node...

CVE-2017-5636

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node...

CVE-2017-5636

CVE-2017-5636 affects Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment. The issue is a vulnerability in the proxy chain serialization/deserialization that can be exploited by crafting a username to impersonate another user and gain their permissions on a replicated request t...

CVE-2017-5636

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node...

SUSE-SU-2017:0797-1 Security update for apache2

This update for apache2 fixes the following security issues: Security issues fixed: - CVE-2016-0736: Protect modsessioncrypto data with a MAC to prevent padding oracle attacks bsc1016712. - CVE-2016-2161: Malicious input to modauthdigest could have caused the server to crash, resulting in DoS...

SUSE-SU-2017:0801-1 Security update for apache2

This update for apache2 provides the following fixes: Security issues fixed: - CVE-2016-0736: Protect modsessioncrypto data with a MAC to prevent padding oracle attacks bsc1016712. - CVE-2016-2161: Malicious input to modauthdigest could have caused the server to crash, resulting in DoS bsc1016714...

SUSE SLES11 Security Update : apache2 (SUSE-SU-2017:0729-1)

This update for apache2 fixes the following issues: Security issues fixed : - CVE-2016-2161: Malicious input to modauthdigest could have caused the server to crash, resulting in DoS bsc1016714. - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretatio...

SUSE-SU-2017:0729-1 Security update for apache2

This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-2161: Malicious input to modauthdigest could have caused the server to crash, resulting in DoS bsc1016714. - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation...