Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Summary Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset. Details There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is...

CVE-2026-50560

Netty HTTP/2 vulnerability CVE-2026-50560 affects Netty versions 4.1.135.Final and 4.2.15.Final. When a client sends SETTINGS_MAX_HEADER_LIST_SIZE, Netty may read a request, proxy it to the origin, attempt to generate a response, and then fail while writing response headers, creating an exception...

PT-2026-48916

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final Description Netty HTTP/2 max header size handling allows for an attack similar to HTTP/2 Rapid Reset. When a client sends the SETTINGS MAX HEADER LIST SIZE setting, the...

GHSA-8V9P-G828-V98F Shopware: Admin Account Takeover via User Recovery Hash Exposure

Summary A low-privilege admin user with userrecovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim unauthenticated endpoint, reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password another...

WordPress plugin LatePoint 授权问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Astra Linux – Vulnerability in Tomcat9

Improper resource shutdown or release vulnerabilities in Apache Tomcat made Tomcat vulnerable to reset attacks. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43, and from 9.0.0.M1 through 9.0.107. Older, end-of-life versions may also be...

golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

CVE-2026-35507

Shynet before 0.14.0 allows Host header injection in the password reset flow...

Security update for tomcat

This update for tomcat fixes the following issues: Update to Tomcat 9.0.115: CVE-2025-48989: HTTP/2 protocol including DNS over HTTPS is vulnerable to "MadeYouReset" DoS attack bsc1243895. CVE-2025-52434: race condition on connection close when using the APR/Native connector could lead to a JVM...

MiracleLinux 8 : grafana-7.5.15-5.el8.ML.1 (AXSA:2023-6522:08)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-6522:08 advisory. grafana: golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-39325 HTTP/2: Multiple HTTP/2 enabled web servers are...

MiracleLinux 9 : golang-1.19.13-1.el9, go-toolset-1.19.13-1.el9 (AXSA:2023-6512:05)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6512:05 advisory. golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 HTTP/2: Multiple HTTP/2 enabled web server...

MiracleLinux 9 : tomcat-9.0.62-11.el9.3 (AXSA:2023-6536:04)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6536:04 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 7 : httpd24-nghttp2-1.7.1-11.0.1.el7 (AXSA:2024-7351:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7351:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 8 : nodejs:16 (AXSA:2024-7628:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7628:01 advisory. nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks CVE-2024-22019 nodejs: HTTP/2: Multiple HTTP/2 enabled we...

MiracleLinux 8 : nodejs:16 (AXSA:2023-6524:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6524:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 8 : varnish:6 (AXSA:2023-6550:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6550:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 8 : nghttp2-1.33.0-5.el8 (AXSA:2023-6516:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6516:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 9 : nghttp2-1.43.0-5.el9.1 (AXSA:2023-6518:02)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6518:02 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 7 : rh-nginx120-nginx-1.20.1-1.0.2.el7.AXS7 (AXSA:2023-6580:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6580:01 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 9 : nodejs-16.20.2-3.el9 (AXSA:2023-6507:05)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6507:05 advisory. nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 A Cybertrust Japan Co., Ltd. Security...