Crlf injection

An improper neutralization of CRLF sequences in HTTP headers 'HTTP Response Splitting' vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splittin...

Fortinet FortiManager and Fortinet FortiAnalyzer Environment Issue Vulnerability

Fortinet FortiManager is a centralized network security management platform from Fortinet, Inc. Fortinet FortiAnalyzer is a centralized network security reporting solution that allows for centralized management of any number of Fortinet devices and the ability to group devices into different...

In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

...

In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with two content-length headers it ignored the first header. When the second content-length value was set to zero the request body was interpreted as a pipelined request.

...

SUSE: Security Advisory (SUSE-SU-2020:14460-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2019:0395-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2020:14590-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Bulletin: IBM DataPower Gateway is affected by a vulnerability in Node.js (CVE-2018-12123)

Summary IBM DataPower Gateway has addressed the following vulnerability: CVE-2018-12123 Vulnerability Details CVEID: CVE-2018-12123 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker...

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request then data can be provided which will trigger a second unexpected and user-defined HTTP request to made to the same server.

...

Oracle Linux 8 : squid:4 (ELSA-2020-3623)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3623 advisory. - Resolves: 1872345 - CVE-2020-15811 squid:4/squid: HTTP Request Splitting could result in cache poisoning - Resolves: 1872330 - CVE-2020-15810...

Apache Httpd < 2.4.49 : Request splitting via HTTP/2 method injection and mod_proxy

A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48...

OESA-2021-1092 squid security update

Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests. Security Fixes: An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a...

Squid < 4.13 Multiple Vulnerabilities

According to its self-reported version number, the version of Squid installed on the remote host is 5.x 5.0.4 or prior to 4.13. It is, therefore, affected by multiple vulnerabilities: - Due to incorrect data validation Squid is vulnerable to HTTP request splitting and HTTP request smuggling attac...

Squid < 4.9 Multiple Vulnerabilities

According to its self-reported version number, the version of Squid installed on the remote host is prior to 4.9. It is, therefore, affected by multiple vulnerabilities: - A heap overflow and possible a remote code execution exist due to incorrect buffer management when processing URN...

CentOS 8 : squid:4 (CESA-2020:3623)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3623 advisory. - squid: HTTP Request Smuggling could result in cache poisoning CVE-2020-15810 - squid: HTTP Request Splitting could result in cache poisoning...

EulerOS 2.0 SP3 : squid (EulerOS-SA-2021-1123)

According to the versions of the squid packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack c...

SUSE-SU-2020:14590-1 Security update for squid3

This update for squid3 fixes the following issues: - CVE-2020-15811: Fixed an HTTP request splitting vulnerability bsc1175665. - CVE-2020-24606: Fixed a DoS vulnerability when processing Cache Digest Responses bsc1175671. - CVE-2020-15810: Fixed an HTTP request smuggling vulnerability bsc1175664...

NewStart CGSL CORE 5.04 / MAIN 5.04 : python-twisted-web Multiple Vulnerabilities (NS-SA-2020-0078)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-twisted-web packages installed that are affected by multiple vulnerabilities: - In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characte...

NewStart CGSL CORE 5.05 / MAIN 5.05 : python-twisted-web Multiple Vulnerabilities (NS-SA-2020-0118)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python-twisted-web packages installed that are affected by multiple vulnerabilities: - In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characte...

Updated python-twisted packages fix security vulnerabilities

Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled certain content-length headers. A remote attacker could possibly use this issue to perform HTTP request splitting attacks CVE-2020-10108, CVE-2020-10109...