golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...

golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...

GHSA-C8RP-CGF4-937W mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack

Impact mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request...

mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack

Impact mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request...

OESA-2022-1783 golang security update

The Go Programming Language Security Fixes: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more...

GHSA-8274-H5JP-97VR Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack

Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...

HTTP Host Header Attack Vulnerabilities

The package laminas/laminas-diactoros Diactoros is a PSR-7 HTTP Message and PSR-17 HTTP Message Factory implementation, providing HTTP request and response message representations both for making HTTP client requests and responding to HTTP requests server-side. When responding to an incoming...

Kindred Group: [www.32red.com] Reverse proxy misconfiguration leads to 1-click account takeover

==Below is the original, partially-redacted report== --------- Hi team, Summary We have found a misconfiguration in the reverse proxy powering www.32red.com, as it's possible to manipulate the forwarded requests using URL-encoded characters. This leads to a full 1-click account takeover by...

Forward credential header to attacker host

Description Some Admins set the "Authorization" header with the help of a reverse proxy to restrict initial access to the Drawio application server. In this kind of setup, the "Authorization" header should always be sent to the reverse proxy, and the reverse proxy will forward it to Drawio But Th...

Siemens SCALANCE LPE9403 Third-Party Vulnerabilities

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely, low attack complexity Vendor: Siemens Equipment: SCALANCE LPE9403 Vulnerabilities: Multiple 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause crashes and unrestricted file access, impacting the...

Nginx NJS Denial of Service Vulnerability (CNVD-2022-66506)

Nginx is a lightweight web server/reverse proxy server and email IMAP/POP3 proxy server from Nginx Inc. njs is one of the scripting language components that supports extended NGINX functionality . A denial of service vulnerability exists in Nginx NJS version v0.7.2, which stems from a segmentatio...

The vulnerability of the reverse proxy server Yet Another Reverse Proxy (YARP) from Microsoft, which stems from insufficient input validation, allows attackers to induce service failures.

The vulnerability of the reverse proxy server, Yet Another Reverse Proxy YARP from Microsoft, is related to insufficient input validation. Exploiting this vulnerability could allow a malicious actor to cause service interruptions...

CVE-2022-31028

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

Design/Logic Flaw

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

CVE-2022-31028 Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

CVE-2022-31028 Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

CVE-2022-31028 Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

PT-2022-20472 · Minio +1 · Minio +1

Name of the Vulnerable Software and Affected Versions: MinIO versions RELEASE.2019-09-25T18-25-51Z through RELEASE.2022-06-02T02-11-04Z Description: The issue is related to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...

Uncaught Exception (due to a data race) leads to process termination in Waitress

Impact Waitress may terminate early due to a thread closing a socket while the main thread is about to call select. This will lead to the main thread raising an exception that is not handled and then causing the entire application to be killed. Patches This issue has been fixed in Waitress 2.1.2 ...

Security Bulletin: Vulnerability in Nginx affects IBM Cloud Private and could allow a remote attacker to obtain sensitive information (177988)

Summary There is a vulnerability in the Nginx open source component. Nginx is used by IBM Cloud Private as a reverse proxy. The vulnerability could allow a remote attacker to obtain sensitive information. This bulletin identifies the security fixes to apply to address the Nginx vulnerability 1779...