PYSEC-2020-242

netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks...

PYSEC-2020-242

netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks...

CVE-2020-7655

netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks...

HTTP Request Smuggling

Overview netius is a Python network library that can be used for the rapid creation of asynchronous non-blocking servers and clients. Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect...

HTTP Request Smuggling

Overview iodine is a fast HTTP / Websocket Server with built-in Pub/Sub support with or without Redis, static file support and many other features, optimized for Ruby MRI on Linux / BSD / macOS. Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

HTTP Request Smuggling

Overview meinheld is a High performance asynchronous Python WSGI Web Server Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It i...

haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated "chunked" value

A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request...

zeek -- Various vulnerabilities

Jon Siwek of Corelight reports: This release fixes the following security issues: Fix potential stack overflow in NVT analyzer Fix NVT analyzer memory leak from multiple telnet authn name options Fix multiple content-transfer-encoding headers causing a memory leak Fix potential leak of Analyzers...

EulerOS Virtualization for ARM 64 3.0.2.0 : haproxy (EulerOS-SA-2020-1523)

According to the version of the haproxy package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the...

haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated "chunked" value

A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request...

Oracle Linux 7 : python-twisted-web (ELSA-2020-1561)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-1561 advisory. - Fix CVE-2020-10108 and CVE-2020-10109 multiple HTTP request smuggling vulnderabilities Resolves: rhbz1813439 rhbz1813447 Tenable has extracted the...

python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header

A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line EOL parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the...

tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling

The refactoring in 9.0.28 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid...

tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling

The refactoring in 9.0.28 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid...

tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line EOL parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...