Total
195 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-15272 | 1 Cisco | 1 Unified Communications Manager | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to bypass security restrictions. The vulnerability is due to improper handling of malformed HTTP methods. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. A successful exploit could allow the attacker to gain unauthorized access to the system. | |||||
CVE-2019-16789 | 1 Agendaless | 1 Waitress | 2024-02-04 | 6.4 MEDIUM | 8.2 HIGH |
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. | |||||
CVE-2015-5741 | 2 Golang, Redhat | 3 Go, Enterprise Linux, Openstack | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. | |||||
CVE-2019-18277 | 1 Haproxy | 1 Haproxy | 2024-02-04 | 4.3 MEDIUM | 7.5 HIGH |
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification). | |||||
CVE-2020-1935 | 6 Apache, Canonical, Debian and 3 more | 20 Tomcat, Ubuntu Linux, Debian Linux and 17 more | 2024-02-04 | 5.8 MEDIUM | 4.8 MEDIUM |
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. | |||||
CVE-2019-16786 | 1 Agendaless | 1 Waitress | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0. | |||||
CVE-2020-5401 | 1 Cloudfoundry | 1 Routing Release | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app. | |||||
CVE-2019-20444 | 5 Canonical, Debian, Fedoraproject and 2 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." | |||||
CVE-2019-19223 | 1 Dlink | 2 Dsl-2680, Dsl-2680 Firmware | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface. | |||||
CVE-2020-5218 | 1 Sylius | 1 Sylius | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore. | |||||
CVE-2020-10108 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. | |||||
CVE-2019-16869 | 4 Canonical, Debian, Netty and 1 more | 5 Ubuntu Linux, Debian Linux, Netty and 2 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. | |||||
CVE-2019-16785 | 1 Agendaless | 1 Waitress | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0. | |||||
CVE-2020-7238 | 4 Debian, Fedoraproject, Netty and 1 more | 6 Debian Linux, Fedora, Netty and 3 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. | |||||
CVE-2019-1020012 | 1 Parseplatform | 1 Parse-server | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
parse-server before 3.4.1 allows DoS after any POST to a volatile class. | |||||
CVE-2018-4030 | 1 Getcujo | 1 Smart Firewall | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An exploitable vulnerability exists the safe browsing function of the CUJO Smart Firewall, version 7003. The bug lies in the way the safe browsing function parses HTTP requests. The "Host" header is incorrectly extracted from captured HTTP requests, which would allow an attacker to visit any malicious websites and bypass the firewall. An attacker could send an HTTP request to exploit this vulnerability. | |||||
CVE-2019-0197 | 6 Apache, Canonical, Fedoraproject and 3 more | 12 Http Server, Ubuntu Linux, Fedora and 9 more | 2024-02-04 | 4.9 MEDIUM | 4.2 MEDIUM |
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue. | |||||
CVE-2017-2666 | 2 Debian, Redhat | 4 Debian Linux, Enterprise Linux, Jboss Enterprise Application Platform and 1 more | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. | |||||
CVE-2018-3908 | 1 Samsung | 2 Sth-eth-250, Sth-eth-250 Firmware | 2024-02-04 | 6.4 MEDIUM | 7.5 HIGH |
An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. With the implementation of the on_body callback, defined by sub_41734, an attacker can send an HTTP request to trigger this vulnerability. | |||||
CVE-2018-3909 | 1 Samsung | 2 Sth-eth-250, Sth-eth-250 Firmware | 2024-02-04 | 6.4 MEDIUM | 8.6 HIGH |
An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, 'onmessagecomplete' callback. An attacker can send an HTTP request to trigger this vulnerability. |