21 matches found
Astra Linux - уязвимость в golang-1.19, golang-1.23
The matching of hosts against proxy patterns may improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to “.example.com”, a request to “::1%25.example.com:80” will be incorrectly matched and not be proxied...
Security Bulletin: Multiple vulnerabilities in IBM Aspera HTTP Gateway
Summary Multiple vulnerabilities were addressed in IBM Aspera HTTP Gateway version 2.3.2. Vulnerability Details CVEID:CVE-2025-36274 DESCRIPTION: IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. CWE:CWE-312...
OESA-2025-1427 golang security update
. Security Fixes: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied.CVE-2025-22870...
AZL-79030 CVE-2025-22870 affecting package golang 1.25.7-1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...
DEBIAN-CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...
AZL-58472 CVE-2025-22870 affecting package prometheus for versions less than 2.45.4-12
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...
AZL-58455 CVE-2025-22870 affecting package keda for versions less than 2.14.1-7
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...
CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...
UBUNTU-CVE-2025-22870
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied...
gitea -- Multiple vulnerabilities
[email protected] reports: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied. go-redis ...
Fallback handlers can trick users into calling functions of the AmbireAccount contract
Lines of code Vulnerability details Fallback handlers can trick users into calling functions of the AmbireAccount contract Selector clashing can be used to trick users into calling base functions of the wallet. Impact Fallback handlers provide extensibility to the Ambire wallet. The main idea her...
Potential DOS in Contract Inheriting UUPSUpgradeable.sol
Lines of code Vulnerability details Impact There is a contract which inherit UUPSUpgradeable.sol, namely; Managed.sol . The contract is deployed using a proxy pattern whereby the implementation contract is used by the proxy contract for all its logic. The proxy contract will make delegate calls t...
Implementation can be self destruct by deployer, effectively break all running sale and lock all assets.
Lines of code Vulnerability details Impact Sale in Escher is deployed using minimal proxy pattern, where there is only 1 implementation contract is deployed to save deployment gas. Also, in Open Edition and FixedPrice sale, when sale is not started yet, owner can cancel it, self destruct the prox...
Funds are locked if can’t transfer reward to recipient in withdraw
Lines of code Vulnerability details Impact When recipient not able to received reward when call withdraw, as natspec: If contract is using proxy pattern, it's possible to register retroactively, however past fees will be lost. We not handle that case to get locked funds back. We should add...
Broken Upgradable Logic in Pool.sol
Lines of code Vulnerability details Impact The Pool smart contract allows a user to predeposit ETH so that it can be used when a seller takes their bid. It uses an ERC1967 proxy pattern and only the exchange contract is permitted to make transfers. The smart contract inherits the...
Initialization function can be front-run
Lines of code Vulnerability details Detailed description of the impact of this finding: Exchange.sol has initialization function that can be front-run, allowing an attacker to incorrectly initialize the contract. Due to the use of the delegatecall proxy pattern, Exchange.sol cannot be initialized...
Admin has ability to rugpull all tokens
Lines of code Vulnerability details Impact Currently it is possible for the admin to pull all tokens belonging to the Gravity bridge. In normal circumstances this is probably fine, but if the admin account were compromised this would lead to the bridge being drained of locked funds. Furthermore, ...
Potential DOS in Contracts Inheriting UUPSUpgradeable.sol
Handle leastwood Vulnerability details Impact There are a number of contracts which inherit UUPSUpgradeable.sol, namely; GovernanceAction.sol, PauseRouter.sol and NoteERC20.sol. All these contracts are deployed using a proxy pattern whereby the implementation contract is used by the proxy contrac...
Initialization functions can be front-run with malicious values
Handle 0xRajeev Vulnerability details Impact Most contracts have public visibility initialization functions that can be front-run, allowing an attacker to incorrectly initialize the contracts. Due to the use of the delegatecall proxy pattern, PrizePool/YieldSourcePrizePool/StakePrizePool,...
Initialization can be front-run in DAO.sol
Handle 0xRajeev Vulnerability details Impact Given the public access, this is susceptible to front-running by an attacker who can initialize this with arbitrary assets before the deployer. Reinitialization will require contract redeployment because initialization can be done only once. Reference:...