2151 matches found
AZL-10538 CVE-2022-32148 affecting package golang for versions less than 1.18.5-1
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...
UBUNTU-CVE-2022-32148
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...
CVE-2022-32148 Exposure of client IP addresses in net/http
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...
mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack
Impact mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request...
GHSA-C8RP-CGF4-937W mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack
Impact mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request...
OESA-2022-1783 golang security update
The Go Programming Language Security Fixes: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more...
GHSA-8274-H5JP-97VR Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack
Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...
HTTP Host Header Attack Vulnerabilities
The package laminas/laminas-diactoros Diactoros is a PSR-7 HTTP Message and PSR-17 HTTP Message Factory implementation, providing HTTP request and response message representations both for making HTTP client requests and responding to HTTP requests server-side. When responding to an incoming...
Kindred Group: [www.32red.com] Reverse proxy misconfiguration leads to 1-click account takeover
==Below is the original, partially-redacted report== --------- Hi team, Summary We have found a misconfiguration in the reverse proxy powering www.32red.com, as it's possible to manipulate the forwarded requests using URL-encoded characters. This leads to a full 1-click account takeover by...
Forward credential header to attacker host
Description Some Admins set the "Authorization" header with the help of a reverse proxy to restrict initial access to the Drawio application server. In this kind of setup, the "Authorization" header should always be sent to the reverse proxy, and the reverse proxy will forward it to Drawio But Th...
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely, low attack complexity Vendor: Siemens Equipment: SCALANCE LPE9403 Vulnerabilities: Multiple 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause crashes and unrestricted file access, impacting the...
The vulnerability of the reverse proxy server Yet Another Reverse Proxy (YARP) from Microsoft, which stems from insufficient input validation, allows attackers to induce service failures.
The vulnerability of the reverse proxy server, Yet Another Reverse Proxy YARP from Microsoft, is related to insufficient input validation. Exploiting this vulnerability could allow a malicious actor to cause service interruptions...
Nginx NJS Denial of Service Vulnerability (CNVD-2022-66506)
Nginx is a lightweight web server/reverse proxy server and email IMAP/POP3 proxy server from Nginx Inc. njs is one of the scripting language components that supports extended NGINX functionality . A denial of service vulnerability exists in Nginx NJS version v0.7.2, which stems from a segmentatio...
CVE-2022-31028
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...
Design/Logic Flaw
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...
CVE-2022-31028 Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...
CVE-2022-31028 Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections...