Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-25072: rpc: client disable compression (#3430) · tendermint/tendermint@03085c2

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.

CVE
Open in Source
#dos

@@ -74,7 +74,9 @@ func makeHTTPClient(remoteAddr string) (string, *http.Client) {

protocol, address, dialer := makeHTTPDialer(remoteAddr)

return protocol + “://” + address, &http.Client{

Transport: &http.Transport{

Dial: dialer,

// Set to true to prevent GZIP-bomb DoS attacks

DisableCompression: true,

Dial: dialer,

},

}

}

Related news

GHSA-3fm3-m23v-5r46: Tendermint Client package vulnerable to Uncontrolled Resource Consumption

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE