1159 matches found
CVE-2024-6827
CVE-2024-6827 affects Gunicorn 21.2.0 where Transfer-Encoding is not properly validated, causing fallback to Content-Length and TE.CL HTTP request smuggling. This can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, and data integrity issues. Root cause: improper vali...
Gunicorn 环境问题漏洞
Gunicorn is a Python web server gateway interface HTTP server from the Gunicorn open source. An environment issue vulnerability exists in Gunicorn version 21.2.0 that stems from improper validation of the Transfer-Encoding header, which could lead to a request entrapment attack...
Linux Distros Unpatched Vulnerability : CVE-2024-1135
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting...
python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers
An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly...
Important: ruby
Issue Overview: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's...
OESA-2024-2531 libsoup3 security update
Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. Security Fixes: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some...
netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names
A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names
A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names
A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names
A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names
A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...
libsoup: HTTP request smuggling via stripping null bytes from the ends of header names
A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...
AZL-53159 CVE-2024-52530 affecting package libsoup for versions less than 3.4.4-2
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header...
RHEL 5 : tomcat5 and tomcat6 (RHSA-2010:0581)
The remote Redhat Enterprise Linux 5 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2010:0581 advisory. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages JSP technologies. A flaw was found in the way Tomcat handled the...
Important: ruby3.2
Issue Overview: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's...
SUSE SLES15 / openSUSE 15 Security Update : rubygem-puma (SUSE-SU-2024:3644-1)
The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3644-1 advisory. - CVE-2024-45614: Prevent underscores from clobbering hyphen headers bsc1230848. - CVE-2024-21647: Fixed DoS when parsing chunked...
OESA-2024-2250 rubygem-puma security update
A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Security Fixes: Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request...
OESA-2024-2247 ruby security update
Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks such as Perl. Security Fixes: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request...
OESA-2024-2226 rubygem-webrick security update
WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. Security Fixes: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a...