CVE-2018-21018

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions...

Code injection

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions...

CVE-2018-21018

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions...

CVE-2018-21018

CVE-2018-21018 affects Mastodon prior to 2.6.3. The issue is described as mishandling timeouts of incompletely established sessions, with CVSS metrics indicating HIGH to CRITICAL impact (CVSS 2.0: 7.5; CVSS 3.1: 9.8). Affected software is Mastodon before 2.6.3; the root cause relates to session t...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://███████/ (████.███.mil)

The CVE-2018-0296 vulnerability was discovered in a Cisco VPN system. It allowed an unauthenticated attacker to perform path traversal and disclose sensitive information such as VPN sessions and user files. The issue was addressed by updating to a patched version that returned a 404 "File not...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://███ (████████████████)

A path traversal vulnerability was discovered in Cisco VPN that could allow unauthenticated users to disclose sensitive information such as VPN sessions and files. The vulnerability was assigned CVE-2018-0296. The vulnerability was fixed in updated versions of the software...

Linux kernel out-of-bounds access vulnerability (CNVD-2019-31653)

Linux kernel is the kernel used by Linux, the open source operating system released by the Linux Foundation in the United States. An out-of-bounds access vulnerability exists in the ath6klwmipstreamtimeouteventrx and ath6klwmicaceventrx functions in drivers/net/wireless/ath/ath6kl/wmi.c in versio...

DEBIAN-CVE-2019-15926

An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6klwmipstreamtimeouteventrx and ath6klwmicaceventrx in the file drivers/net/wireless/ath/ath6kl/wmi.c...

Missing default timeout on HTTP requests (NC-SA-2020-005)

Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long...

Fedora 30 : mod_http2 (2019-63ba15cc83) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)

Rebuilt with newer nghttp2 ---- This update includes the latest upstream release of modhttp2, version 1.15.3. Upstream changes include : - fixes Timeout vs. KeepAliveTimeout behaviour, see PR 63534. - Fixes stream cleanup when connection throttling is in place. - Counts stream resets by client on...

Node.js: Http response is not ended although underlying socket is already destroyed

Summary: When node server receives http request and hooks to end, finish and error events are attached on response object to handle cases when response is closed/ended but underlying socket is abruptly terminated then none of those events is fired. This leads to state when response seems to be...

polkit security and bug fix update

0.112-22.0.1 - Increase timeout to avoid defunct processes Orabug: 26930744 0.112-22 - pkttyagent: polkit-agent-helper-1 timeout leaves tty echo disabled - Resolves: rhbz1325512 0.112-21 - Mitigation of regression caused by fix of CVE-2018-19788 - Resolves: rhbz1656377 0.112-20 - Fix of...

Oracle Linux 7 : curl (ELSA-2019-1880)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2019-1880 advisory. - CVE-2016-8615 cookie injection for other servers https://curl.haxx.se/docs/CVE-2016-8615.html - CVE-2016-8616 case insensitive password comparison...

SilverSHielD 6.x - Local Privilege Escalation

SilverSHielD 6.x - Local Privilege Escalation This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exploit Title: extenua SilverSHielD 6.x local priviledge escalation Google Dork: na Date: 31 Jul 2019 Exploit Author: Ian...

nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass

It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of...

CVE-2017-8227

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. However, if the same brute force attempt is performed using the ONVIF specification which...

Qualys Cloud Platform (VM, PC) 8.20 New Features

This new release of the Qualys Cloud Platform VM, PC, version 8.20, includes several new features in Qualys Cloud Platform and additional support for multiple technologies in Qualys Policy Compliance. Feature Highlights Qualys Cloud Platform Configure Password Expiration Notification – Now users...

Denial Of Service (DoS)

tomcat-coyote/tomcat-embed-core is vulnerable to denial of service. The vulnerability exists due to an incomplete fix of CVE-2019-0199 which is due to the lack of timeout idling streams and keeping the idle streams open without any read/write and request/response data...

tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not...

Pydio Core <= 8.2.2 Information Disclosure Vulnerability - Active Check

Pydio Core is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:pydio:pydio";...