golang: net/http/httputil: panic due to racy read of persistConn after handler panic

A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability...

No-Joke Borat RAT Propagates Ransomware, DDoS

Attackers are using a newly released remote access trojan RAT to spread ransomware and distributed denial of service DDoS — in addition to the traditional RAT function of backdooring victims’ systems. Researchers at Cyble Research Labs discovered the RAT, which they dubbed Borat RAT because it us...

golang: net/http/httputil: panic due to racy read of persistConn after handler panic

A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability...

CVE-2022-23652 Privilege escalation using hop-by-hop Connection header

capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious Connection header to start a privilege escalation attack towards the Kubernetes API Server. This...

ruby: Potential HTTP request smuggling in WEBrick

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

ruby: Potential HTTP request smuggling in WEBrick

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

Containous Traefik Trust Management Issue Vulnerability (CNVD-2022-13371)

Containous Traefik is a reverse proxy and load balancer from Containous, U.S. Containous Traefik is vulnerable to a trust management issue that stems from the fact that when a request is sent using an FQDN processed by a router configured with a dedicated TLS configuration, the TLS configuration...

Race Condition

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Race Condition. Go Vulnerability Report: HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The...

Missing Authorization

Overview std/net/http/httputil is a Go standard library package std/net/http/httputil Affected versions of this package are vulnerable to Missing Authorization. Go Vulnerability Report: ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the...

Race Condition

Overview std/net/http/httputil is a Go standard library package std/net/http/httputil Affected versions of this package are vulnerable to Race Condition. Go Vulnerability Report: ReverseProxy can panic after encountering a problem copying a proxied response body. Remediation Upgrade...

CVE-2022-23632

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security TLS configuration when the host header is a fully qualified domain name FQDN. For a request, the TLS configuration choice can be different than the router choice, which...

Default configuration

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security TLS configuration when the host header is a fully qualified domain name FQDN. For a request, the TLS configuration choice can be different than the router choice, which...

CVE-2022-23632

CVE-2022-23632 affects Traefik (HTTP reverse proxy/load balancer). Prior to v2.6.1, when the host header is an FQDN, the router’s TLS configuration can be ignored and a different TLS setup may be applied, potentially using the default TLS configuration instead of the configured one. If CNAME flat...

CVE-2022-23632 Traefik skips the router TLS configuration when the host header is an FQDN

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security TLS configuration when the host header is a fully qualified domain name FQDN. For a request, the TLS configuration choice can be different than the router choice, which...

CVE-2022-21698

clientgolang is the instrumentation library for Go applications in Prometheus, and the promhttp package in clientgolang provides tooling around HTTP servers and clients. In clientgolang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and...

Design/Logic Flaw

clientgolang is the instrumentation library for Go applications in Prometheus, and the promhttp package in clientgolang provides tooling around HTTP servers and clients. In clientgolang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and...

CVE-2022-21698

clientgolang is the instrumentation library for Go applications in Prometheus, and the promhttp package in clientgolang provides tooling around HTTP servers and clients. In clientgolang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and...

GHSA-VX57-7F4Q-FPC7 Arbitrary redirects under /new endpoint

Impact In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a...

CVE-2022-21698

clientgolang is the instrumentation library for Go applications in Prometheus, and the promhttp package in clientgolang provides tooling around HTTP servers and clients. In clientgolang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and...

CVE-2022-21698 Uncontrolled Resource Consumption in promhttp

clientgolang is the instrumentation library for Go applications in Prometheus, and the promhttp package in clientgolang provides tooling around HTTP servers and clients. In clientgolang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and...