Page 26 of 982 results (0.020 seconds)

CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0

CVE-2020-25097 – squid: improper input validation may allow a trusted client to perform HTTP request smuggling

https://notcve.org/view.php?id=CVE-2020-25097

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings. Se detectó un problema en Squid versiones hasta 4.13 y versiones 5.x hasta 5.0.4. Debido a una comprobación inapropiada de la entrada, permite a un cliente confiable llevar a cabo un Trafico No Autorizado de Peticiones HTTP y acceder a servicios que de otro modo estarían prohibidos por los controles de seguridad. • http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patch https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJMDRVV677AJL4BZAOLCT5LMFCGBZTC2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FBXFWKIGXPERDVQXG556LLPUOCMQGERC https://lists.fedoraproject.org/archives/list/package-announc • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

CVE-2021-28831

https://notcve.org/view.php?id=CVE-2021-28831

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. El archivo decompress_gunzip.c en BusyBox versiones hasta 1.32.1, maneja inapropiadamente el bit de error en el puntero de resultado de huft_build, con un fallo liberación invalida o de segmentación resultante, por medio de datos gzip malformados • https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U https://security.gentoo.org&# • CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 1

CVE-2021-27291 – python-pygments: ReDoS in multiple lexers

https://notcve.org/view.php?id=CVE-2021-27291

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. En pygments versión 1.1+, corregido en 2.7.4, los lexers usados para analizar unos lenguajes de programación dependen en gran medida en expresiones regulares. Algunas de las expresiones regulares presentan una complejidad exponencial o cúbica en el peor de los casos y son vulnerables a ReDoS. • https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55 https://lists.fedoraproject.org/archives/list/package • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1

CVE-2021-21192

https://notcve.org/view.php?id=CVE-2021-21192

Heap buffer overflow in tab groups in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. El desbordamiento del búfer de la pila en tab groups en Google Chrome versiones anteriores a 89.0.4389.90, permitía a un atacante remoto explotar potencialmente una corrupción de la pila por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html https://crbug.com/1181387 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ https://security.gentoo.org/glsa/202104-08 https://www.debian.org/security/2021/dsa-4886 • CWE-787: Out-of-bounds Write •

CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 1

CVE-2021-21193 – Google Chromium Blink Use-After-Free Vulnerability

https://notcve.org/view.php?id=CVE-2021-21193

Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Un uso de la memoria previamente liberada en Blink en Google Chrome versiones anteriores a 89.0.4389.90, permitía a un atacante remoto explotar la corrupción de la pila por medio de una página HTML diseñada Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. • https://github.com/mehrzad1994/CVE-2021-21193 https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html https://crbug.com/1186287 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N52OWF4BAP3JNK2QYGU3Q6QUVDZDCIMQ https://security.gentoo.org/glsa/202104-08 https://www.debian.org/security/2021/dsa-4886 • CWE-416: Use After Free •