Log

AVG-1194 edited at 28 Jun 2020 20:24:32
Status
- Testing
+ Fixed
ASA-202006-16 edited at 28 Jun 2020 16:18:55
Impact
+ A remote attacker might be able to cause a denial of service via a specially crafted sequence of HTTP/2 requests.
ASA-202006-16 created at 28 Jun 2020 16:18:27
AVG-1196 edited at 28 Jun 2020 16:18:18
Severity
- Unknown
+ Medium
CVE-2020-11996 edited at 28 Jun 2020 16:18:18
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A denial of service has been found in Apache Tomcat before 9.0.36 and 8.5.56, where a specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
References
+ https://www.openwall.com/lists/oss-security/2020/06/25/6
+ https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36
+ https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976
+ https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56
+ https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552
Notes
AVG-1197 edited at 28 Jun 2020 16:18:18
Severity
- Unknown
+ Medium
CVE-2020-11996 edited at 28 Jun 2020 16:18:18
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A denial of service has been found in Apache Tomcat before 9.0.36 and 8.5.56, where a specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
References
+ https://www.openwall.com/lists/oss-security/2020/06/25/6
+ https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36
+ https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976
+ https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56
+ https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552
Notes
AVG-1197 created at 28 Jun 2020 16:16:27
Packages
+ tomcat8
Issues
+ CVE-2020-11996
Status
+ Fixed
Severity
+ Unknown
Affected
+ 8.5.55-1
Fixed
+ 8.5.56-1
Ticket
Advisory qualified
+ Yes
References
+ https://www.openwall.com/lists/oss-security/2020/06/25/6
Notes
AVG-1196 created at 28 Jun 2020 16:15:55
Packages
+ tomcat9
Issues
+ CVE-2020-11996
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 9.0.35-1
Fixed
Ticket
Advisory qualified
+ Yes
References
+ https://www.openwall.com/lists/oss-security/2020/06/25/6
Notes
CVE-2020-11996 created at 28 Jun 2020 16:15:55
AVG-1195 edited at 28 Jun 2020 16:14:08
Severity
- Unknown
+ Medium
CVE-2020-10753 edited at 28 Jun 2020 16:14:08
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Content spoofing
Description
+ A flaw was found in the Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. This issue affects the RadosGW S3 API, it does not affect the Swift API.
References
+ https://github.com/ceph/ceph/pull/35773/commits/1524d3c0c5cb11775313ea1e2bb36a93257947f2
Notes
AVG-1195 created at 28 Jun 2020 16:13:25
Packages
+ ceph
Issues
+ CVE-2020-10753
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 14.2.8-1
Fixed
Ticket
Advisory qualified
+ Yes
References
+ https://www.openwall.com/lists/oss-security/2020/06/25/5
+ https://github.com/ceph/ceph/pull/35773/commits/1524d3c0c5cb11775313ea1e2bb36a93257947f2
Notes
CVE-2020-10753 created at 28 Jun 2020 16:13:25
ASA-202006-15 edited at 28 Jun 2020 16:09:16
Impact
+ A remote attacker might be able to access sensitive information or crash the application via a crafted RDP session. A malicious server, or an attacker in position of man-in-the-middle might be able to execute arbitrary code on the affected host.