Tomcat -- Request Smuggling

Apache Tomcat reports: If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false the default for 8.5.x only, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a...

[SECURITY] Fedora 35 Update: nginx-1.22.1-1.fc35

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

[SECURITY] Fedora 36 Update: nginx-1.22.1-1.fc36

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...

OESA-2022-2004 golang security update

The Go Programming Language Security Fixes: Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum si...

Important: golang-github-gorilla-mux

Issue Overview: 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling,...

Important: go-rpm-macros

Issue Overview: 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling,...

MGASA-2022-0377 Updated golang packages fix security vulnerability

regexp/syntax: limit memory used by parsing regexps CVE-2022-41715 archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 net/http/httputil: ReverseProxy should not forward unparseable query parameters CVE-2022-2880...

Design/Logic Flaw

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...

AZL-37469 CVE-2022-2880 affecting package golang for versions less than 1.21.6-1

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...

AZL-79010 CVE-2022-2880 affecting package golang 1.25.7-1

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...

DEBIAN-CVE-2022-2880

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...

UBUNTU-CVE-2022-2880

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...

CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...

CVE-2022-39271

CVE-2022-39271 affects Traefik, a modern HTTP reverse proxy/load balancer. The vulnerability lies in HTTP/2 connection handling where closing an HTTP/2 server connection could hang due to a subsequent fatal error, potentially enabling a denial-of-service condition. A patch has been released in Tr...

Fixed in Apache Tomcat 8.5.83

Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was...

Fixed in Apache Tomcat 10.0.27

Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false not the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat wa...

CVE-2022-2880

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...

Fixed in Apache Tomcat 9.0.68

Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false not the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat wa...

HTTP Request Smuggling

Overview std/net/http/httputil is a Go standard library package std/net/http/httputil Affected versions of this package are vulnerable to HTTP Request Smuggling. Go Vulnerability Report:Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including...