32 matches found
inngest-js 信息泄露漏洞
Inngest-js is an open-source framework developed by Inngest, designed to support various serverless platforms. It serves as a reliable event-driven and background task execution framework. Versions 3.22.0 to 3.53.1 of Inngest-js contain a vulnerability related to information leakage. This...
CVE-1999-0448
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request...
GHSA-R3JV-XFGX-GJ24 cors-anywhere vulnerable to server-side request forgery
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets SSRF. Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services...
CVE-2003-0249
PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache...
Aim allows denial of service due to no timeouts for some tracking server endpoints
In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue...
API Specifications: Why, When, and How to Enforce Them
APIs facilitate communication between different software applications and power a wide range of everyday digital experiences, from weather apps to streaming services and everything in between. They are also a critical ingredient of AI. However, if not structured and standardized properly, APIs ca...
BIT-CILIUM-OPERATOR-2024-42487 Cilium's Gateway API route matching order contradicts specification
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...
BIT-CILIUM-2024-42487 Cilium's Gateway API route matching order contradicts specification
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...
Security Bypass
github.com/cilium/cilium is vulnerable to Security Bypass. The vulnerability is due to improper implementation of match precedence in Gateway API HTTPRoutes and GRPCRoutes, where request headers are matched before request methods. It allows an attacker to exploit the incorrect request handling...
GHSA-QCM3-7879-XCWW Gateway API route matching order contradicts specification
Impact Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched...
CVE-2024-42487 Cilium's Gateway API route matching order contradicts specification
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...
CVE-2024-42487 Cilium's Gateway API route matching order contradicts specification
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...
CVE-2024-42487 Cilium's Gateway API route matching order contradicts specification
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...
Improper Certificate Validation
mindsdb is vulnerable to Improper Certificate Validation. The vulnerability is due to the of verify=False when requesting post data, which disables SSL certificate verification. Security of the Requests methods depends on ensuring SSL certificates are validated. TLS greatly improve security by...
Important: golang
Issue Overview: RESERVED NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41724 Golang: net/http, mime/multipart: denial of service from excessive resource consumption https://groups.google.com/g/golang-announce/c/V0aBFqaFsE CVE-2022-41725 The ScalarMult and ScalarBaseMult...
SolarWinds Security Event Manager 安全漏洞
SolarWinds Security Event Manager SolarWinds SEM is an American SolarWinds, Inc. for forensics and troubleshooting, as well as a tool to help you manage log data. A security vulnerability exists in SolarWinds Security Event Manager 2022.2 and prior versions that stems from disclosing HTTP methods...
http before 0.13.3 vulnerable to header injection
An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...
GHSA-4RGH-JX4F-QFCQ http before 0.13.3 vulnerable to header injection
An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...
Bxss - A Blind XSS Injector Tool
ABlind XSS Injector tool Features Inject Blind XSS payloads into custom headers Inject Blind XSS payloads into parameters Uses Different Request Methods PUT,POST,GET,OPTIONS all at once Tool Chaining Really fast Easy to setup Install $ go get -u github.com/ethicalhackingplayground/bxss Arguments ...
Cross-Site Request Forgery (CSRF)
yiisoft/yii2 is vulnerable to cross-site request forgery CSRF. Request methods are not validated or restricted in \yii\web\Request::getMethod. This allows an attacker to bypass CSRF token checks by downgrading the HTTP request to read methods such as GET, HEAD or OPTIONS...