PT-2023-8840 · Aiohttp +3 · Aiohttp +3

Name of the Vulnerable Software and Affected Versions: aiohttp versions prior to 3.8.0 Description: The issue is related to the inconsistent interpretation of the HTTP protocol, specifically when both Content-Length and Transfer-Encoding headers are present. This can lead to incorrect...

Fixed in Apache Tomcat 8.5.96

Important: Request smuggling CVE-2023-46589 Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a...

tomcat: not including the secure attribute causes information disclosure

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...

Rocky Linux 8 : grafana (RLSA-2022:1781)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:1781 advisory. - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability fo...

Privilege escalation

capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar...

CVE-2023-46254 Service accounts can see namespaces of other tenants in capsule-proxy

capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar...

FreeBSD : h2o -- uninitialised memory access in HTTP3 (1d3677a8-9143-42d8-84a3-0585644dff4b)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1d3677a8-9143-42d8-84a3-0585644dff4b advisory. - h2o is an open source http server. In code prior to the 8c0eca3 commit h2o may attempt to access...

Request Smuggling org.apache.tomcat:tomcat-coyote in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 7.19.0 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows an unauthenticated attacker t...

tomcat: incorrectly parsed http trailer headers can cause request smuggling

A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy...

tomcat: incorrectly parsed http trailer headers can cause request smuggling

A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy...

CVE-2023-45648

A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy...

[SECURITY] [DLA 3617-1] tomcat9 security update

Debian LTS Advisory DLA-3617-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany October 13, 2023 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.31-1deb10u9 CVE ID : CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648 Several...

Apache Tomcat Input Validation Error Vulnerability (CNVD-2024-27498)

Apache Tomcat is the United States Apache Apache Foundation of a lightweight Web application server. The program implements the Servlet and JavaServer Page JSP support. Apache Tomcat has an input validation error vulnerability that stems from a failure to properly parse the HTTP tail header, whic...

Request Smuggling

tomcat-coyote are vulnerable to Request Smuggling. This vulnerability exists because the library does not properly validate HTTP trailer headers, which allows an attacker to smuggle requests if the application is behind a reverse proxy...

HTTP/2 Stream Cancellation Attack

HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RSTSTREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The clie...

DEBIAN-CVE-2023-45648

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomca...

UBUNTU-CVE-2023-45648

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomca...

Apache Tomcat 输入验证错误漏洞

Apache Tomcat is the United States Apache Apache Foundation of a lightweight Web application server. The program implements the Servlet and JavaServer Page JSP support. Apache Tomcat has an input validation error vulnerability that stems from a failure to properly parse the HTTP tail header, whic...

Fixed in Apache Tomcat 10.1.14

Important: Request smuggling CVE-2023-45648 Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. This was fixe...

Important: squid

Issue Overview: An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decod...