CVE-2021-21234 Directory Traversal

spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this librar...

Directory Traversal in spring-boot-actuator-logview

Impact The nature of this library is to expose a log file directory via admin spring boot actuator HTTP endpoints. Both the filename to view and a base folder relative to the logging folder root can be specified via request parameters. While the filename parameter was checked to prevent directory...

GHSA-P4Q6-QXJX-8JGP Directory Traversal in spring-boot-actuator-logview

Impact The nature of this library is to expose a log file directory via admin spring boot actuator HTTP endpoints. Both the filename to view and a base folder relative to the logging folder root can be specified via request parameters. While the filename parameter was checked to prevent directory...

CVE-2020-26286

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that...

golang: data race in certain net/http servers including ReverseProxy can lead to DoS

A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability...

CVE-2020-26281

async-h1 is an asynchronous HTTP/1.1 parser for Rust crates.io. There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the bo...

CVE-2020-26281

async-h1 is an asynchronous HTTP/1.1 parser for Rust crates.io. There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the bo...

Cross site request forgery (csrf)

async-h1 is an asynchronous HTTP/1.1 parser for Rust crates.io. There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the bo...

CVE-2020-26281 request smuggling in async-h1

async-h1 is an asynchronous HTTP/1.1 parser for Rust crates.io. There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the bo...

CVE-2020-26281

CVE-2020-26281 affects the async-h1 crate (Rust) before version 2.3.0 when used behind a reverse proxy. The vulnerability arises when the server does not consume a request body beyond a buffer, allowing a smuggled request to be read from the body and potentially forge or manipulate forwarded head...

Http-rs Async-h1 Environment Issue Vulnerability

Http-rs Async-h1 is a Rust-based asynchronous Http parser from the Http-rs team. A security vulnerability exists in async-h1 versions prior to 2.3.0, which stems from the presence of a request smuggling vulnerability. This vulnerability affects any web server that uses async-h1 behind a reverse...

Amazon Linux AMI : tomcat7 (ALAS-2020-1472) (deprecated)

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ALAS-2020-1472 advisory. - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approa...

RUSTSEC-2020-0093 Async-h1 request smuggling possible with long unread bodies

This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at...

Async-h1 request smuggling possible with long unread bodies

This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at...

golang: data race in certain net/http servers including ReverseProxy can lead to DoS

A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability...

Mail.ru: Bypass the reverse proxy. Request admin

Incorrect configuration of nginx led to path restrictions bypass...

CVE-2020-26253

Kirby is a CMS. In Kirby CMS getkirby/cms before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Pane...

Design/Logic Flaw

Kirby is a CMS. In Kirby CMS getkirby/cms before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Pane...

CVE-2020-26253 .dev domains treated as local in Kirby

Kirby is a CMS. In Kirby CMS getkirby/cms before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Pane...

Debian: Security Advisory (DSA-4805-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...