CVE-2023-36478 – HTTP/2 HPACK integer overflow and buffer allocation
https://notcve.org/view.php?id=CVE-2023-36478
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. • http://www.openwall.com/lists/oss-security/2023/10/18/4 https://github.com/eclipse/jetty.project/pull/9634 https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html https: • CWE-190: Integer Overflow or Wraparound CWE-400: Uncontrolled Resource Consumption •
CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-43641 – libcue vulnerable to out-of-bounds array access
https://notcve.org/view.php?id=CVE-2023-43641
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. • http://packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.html https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641 https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj https://lists.debian.org/debian-lts-announce/2023/10/msg00018.html https://lists.fedoraproject.org/archives/l • CWE-787: Out-of-bounds Write •
CVE-2023-42755 – Kernel: rsvp: out-of-bounds read in rsvp_classify()
https://notcve.org/view.php?id=CVE-2023-42755
A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service. Se encontró una falla en el clasificador del IPv4 Resource Reservation Protocol (RSVP) en el kernel de Linux. El puntero xprt puede ir más allá de la parte lineal del skb, lo que lleva a una lectura fuera de límites en la función `rsvp_classify`. • https://access.redhat.com/errata/RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:3138 https://access.redhat.com/security/cve/CVE-2023-42755 https://bugzilla.redhat.com/show_bug.cgi?id=2239847 https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://seclists.org/oss-sec/2023/q3/229 • CWE-125: Out-of-bounds Read •
CVE-2023-43804 – `Cookie` HTTP header isn't stripped on cross-origin redirects
https://notcve.org/view.php?id=CVE-2023-43804
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. urllib3 es una librería cliente HTTP fácil de usar para Python. urllib3 no trata el encabezado HTTP "Cookie" de manera especial ni proporciona ayuda para administrar las cookies a través de HTTP, eso es responsabilidad del usuario. Sin embargo, es posible que un usuario especifique un encabezado "Cookie" y, sin saberlo, filtre información a través de redireccionamientos HTTP a un origen diferente si ese usuario no deshabilita los redireccionamientos explícitamente. Este problema se solucionó en urllib3 versión 1.26.17 o 2.0.5. • https://github.com/JawadPy/CVE-2023-43804-Exploit https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5 https://lists.fedoraproject.org/archives/list/package-announc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •