Important: ruby

Issue Overview: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's...

OESA-2024-2531 libsoup3 security update

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. Security Fixes: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

AZL-53159 CVE-2024-52530 affecting package libsoup for versions less than 3.4.4-2

GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header...

RHEL 5 : tomcat5 and tomcat6 (RHSA-2010:0581)

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2010:0581 advisory. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages JSP technologies. A flaw was found in the way Tomcat handled the...

Important: ruby3.2

Issue Overview: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's...

SUSE SLES15 / openSUSE 15 Security Update : rubygem-puma (SUSE-SU-2024:3644-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3644-1 advisory. - CVE-2024-45614: Prevent underscores from clobbering hyphen headers bsc1230848. - CVE-2024-21647: Fixed DoS when parsing chunked...

OESA-2024-2250 rubygem-puma security update

A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Security Fixes: Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request...

OESA-2024-2247 ruby security update

Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks such as Perl. Security Fixes: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request...

OESA-2024-2226 rubygem-webrick security update

WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server. Security Fixes: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a...

python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers

An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly...

USN-7057-2 ruby-webrick vulnerability

USN-7057-1 fixed a vulnerability in WEBrick. This update provides the corresponding updates for Ubuntu 22.04 LTS. Original advisory details: It was discovered that WEBrick incorrectly handled having both a Content- Length header and a Transfer-Encoding header. A remote attacker could possibly use...

USN-7057-1 ruby-webrick vulnerability

It was discovered that WEBrick incorrectly handled having both a Content- Length header and a Transfer-Encoding header. A remote attacker could possibly use this issue to perform a HTTP request smuggling attack...

Security Bulletin: Vulnerabilities in Netty affect IBM watsonx.data

Summary Netty is vulnerable to HTTP request smuggling and weaker than expected security. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2019-20444 DESCRIPTION: Netty is vulnerable to HTTP request smuggling, caused by a flaw in the HttpObjectDecoder.java. By sending a...