761 matches found
CVE-2022-30115
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...
CVE-2022-30115
CVE-2022-30115 describes an HSTS bypass in curl where the client could be forced to use HTTPS despite an HTTP URL, via mismatches between URL hostname trailing dots and HSTS cache entries. Connected advisories confirm the issue affects curl and was fixed in later releases; for example, Alpine/CUR...
CVE-2022-30115
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...
GHSA-6Q4G-84F3-MW74 Improper handling of equivalent directory names on Windows in Jenkins
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names. On Windows, when specifying a file or folder with a trailing dot character example., the file or folder will be treated as if that character was not present example. As both are legal names f...
CLSA-2022-1653329020 Fix CVE(s): CVE-2022-1629, CVE-2022-1616, CVE-2022-1620, CVE-2022-1621, CVE-2022-1619
SECURITY UPDATE: Going before the start of the command line - debian/patches/CVE-2022-1619.patch: Check already being at the start of the command line - CVE-2022-1619 SECURITY UPDATE: NULL pointer access when using invalid pattern - debian/patches/CVE-2022-1620.patch: Check for failed regexp...
CLSA-2022-1653328424 Fixed CVEs in vim: CVE-2022-1616, CVE-2022-1621, CVE-2022-1620, CVE-2022-1629, CVE-2022-1619
CVE-2022-1619: fix going before the command line start with latin1 encoding - CVE-2022-1620: fix NULL pointer dereference when using invalig regexp - CVE-2022-1621: fix to avoid adding invalid bytes with :spellgood - CVE-2022-1629: fix reading past end of line if ended with trailing backslash -...
CLSA-2022-1653006752 Fixed CVEs in vim: CVE-2022-1620, CVE-2022-1616, CVE-2022-1629, CVE-2022-1621, CVE-2022-1619
CVE-2022-1619: fix going before the command line start with latin1 encoding - CVE-2022-1620: fix NULL pointer dereference when using invalig regexp - CVE-2022-1621: fix to avoid adding invalid bytes with :spellgood - CVE-2022-1629: fix reading past end of line if ended with trailing backslash -...
Fixed CVEs in vim: CVE-2022-1620, CVE-2022-1616, CVE-2022-1629, CVE-2022-1621, CVE-2022-1619
CVE-2022-1619: fix going before the command line start with latin1 encoding - CVE-2022-1620: fix NULL pointer dereference when using invalig regexp - CVE-2022-1621: fix to avoid adding invalid bytes with :spellgood - CVE-2022-1629: fix reading past end of line if ended with trailing backslash -...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
FreeBSD : curl -- Multiple vulnerabilities (11e36890-d28c-11ec-a06f-d4c9ef517024)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 11e36890-d28c-11ec-a06f-d4c9ef517024 advisory. - Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
dotnet: excess memory allocation via HttpClient causes DoS
A flaw was found in dotnet. The Microsoft Security Advisory describes the issue of the Apply MaxResponseHeadersLength limit for trailing headers to address a denial of service via excess memory allocations through the HttpClient...
CURL-CVE-2022-30115 HSTS bypass via trailing dot
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL used ...
cookie for trailing dot TLD
libcurl wrongly allows HTTP cookies to be set for Top Level Domains TLDs if the hostname is provided with a trailing dot. curl can be told to receive and send cookies when communicating using HTTPS. curl's "cookie engine" can be built with or without Public Suffix List awareness. If PSL support n...
HSTS bypass via trailing dot
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL used ...
CURL-CVE-2022-27779 cookie for trailing dot TLD
libcurl wrongly allows HTTP cookies to be set for Top Level Domains TLDs if the hostname is provided with a trailing dot. curl can be told to receive and send cookies when communicating using HTTPS. curl's "cookie engine" can be built with or without Public Suffix List awareness. If PSL support n...