![]() ![]() This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. ![]() The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This issue affects Apache Traffic Server 9.1.0. And it may affect the developer's custom plugin.Īn unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.īuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. Some other plugins also have the same issue. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. This makes it possible to construct a URI to bypass the block list on some occasions. The $request_uri is the full original request URI without normalization. The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. Apache JSPWiki users should upgrade to 2.11.0 or later. Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |