CVE-2021-38512

Source
https://cve.org/CVERecord?id=CVE-2021-38512
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38512.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-38512
Aliases
Published
2021-08-10T23:15:07.277Z
Modified
2026-07-08T05:57:17.690920039Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in the actix-http crate before 3.0.0-beta.9 for Rust. HTTP/1 request smuggling (aka HRS) can occur, potentially leading to credential disclosure.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:actix:actix-http:3.0.0:beta1:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta2:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta3:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta4:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta5:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta6:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta7:*:*:*:rust:*:*",
                "cpe:2.3:a:actix:actix-http:3.0.0:beta8:*:*:*:rust:*:*"
            ],
            "vendor_product": "actix:actix-http",
            "extracted_events": [
                {
                    "introduced": "3.0.0-beta1"
                },
                {
                    "last_affected": "3.0.0-beta1"
                },
                {
                    "introduced": "3.0.0-beta2"
                },
                {
                    "last_affected": "3.0.0-beta2"
                },
                {
                    "introduced": "3.0.0-beta3"
                },
                {
                    "last_affected": "3.0.0-beta3"
                },
                {
                    "introduced": "3.0.0-beta4"
                },
                {
                    "last_affected": "3.0.0-beta4"
                },
                {
                    "introduced": "3.0.0-beta5"
                },
                {
                    "last_affected": "3.0.0-beta5"
                },
                {
                    "introduced": "3.0.0-beta6"
                },
                {
                    "last_affected": "3.0.0-beta6"
                },
                {
                    "introduced": "3.0.0-beta7"
                },
                {
                    "last_affected": "3.0.0-beta7"
                },
                {
                    "introduced": "3.0.0-beta8"
                },
                {
                    "last_affected": "3.0.0-beta8"
                }
            ],
            "source": "CPE_STRING"
        },
        {
            "vendor_product": "fedoraproject:fedora",
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "34"
                },
                {
                    "last_affected": "34"
                }
            ],
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/actix/actix-web

Affected ranges

Type
GIT
Repo
https://github.com/actix/actix-web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Last affected
Database specific
{
    "cpe": [
        "cpe:2.3:a:actix:actix-http:*:*:*:*:*:rust:*:*",
        "cpe:2.3:a:actix:actix-http:3.0.0:-:*:*:*:rust:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.0"
        },
        {
            "introduced": "3.0.0-NA"
        },
        {
            "last_affected": "3.0.0-NA"
        }
    ]
}

Affected versions

0.*
0.7.15
0.7.16
0.7.17
0.7.18
3.*
3.0.0-NA
actors-v1.*
actors-v1.0.0
actors-v1.0.1
actors-v1.0.2
actors-v1.0.3
actors-v2.*
actors-v2.0.0
actors-v3.*
actors-v3.0.0
actors-v3.0.0-alpha.1
actors-v3.0.0-beta.1
actors-v3.0.0-beta.2
Other
awc
awc-v0.*
awc-v0.1.0
awc-v0.1.1
awc-v0.2.0
awc-v0.2.1
awc-v0.2.2
awc-v0.2.3
awc-v0.2.4
awc-v0.2.5
awc-v0.2.6
awc-v0.2.7
awc-v0.2.8
awc-v1.*
awc-v1.0.0
awc-v1.0.1
awc-v2.*
awc-v2.0.0
awc-v2.0.0-alpha.1
awc-v2.0.0-alpha.2
awc-v2.0.0-beta.1
awc-v2.0.0-beta.2
awc-v2.0.0-beta.3
awc-v2.0.0-beta.4
codegen-v0.*
codegen-v0.1.0
codegen-v0.1.1
codegen-v0.1.2
codegen-v0.1.3
codegen-v0.2.1
codegen-v0.2.2
codegen-v0.3.0
codegen-v0.3.0-beta.1
cors-v0.*
cors-v0.1.0
cors-v0.2.0
files-v0.*
files-v0.1.0
files-v0.1.1
files-v0.1.2
files-v0.1.3
files-v0.1.4
files-v0.1.5
files-v0.1.6
files-v0.1.7
files-v0.2.0
files-v0.2.1
files-v0.3.0
files-v0.3.0-alpha.1
files-v0.3.0-beta.1
framed-v0.*
framed-v0.1.0
framed-v0.2.0
framed-v0.2.1
framed-v0.3.0
http-test-v0.*
http-test-v0.1.0
http-test-v0.1.1
http-test-v0.2.1
http-test-v0.2.2
http-test-v0.2.3
http-test-v0.2.5
http-test-v1.*
http-test-v1.0.0
http-test-v2.*
http-test-v2.0.0
http-test-v2.0.0-alpha.1
http-v0.*
http-v0.1.0
http-v0.1.0-alpha.1
http-v0.1.1
http-v0.1.2
http-v0.1.3
http-v0.1.4
http-v0.1.5
http-v0.2.0
http-v0.2.1
http-v0.2.10
http-v0.2.11
http-v0.2.2
http-v0.2.3
http-v0.2.4
http-v0.2.5
http-v0.2.6
http-v0.2.7
http-v0.2.8
http-v0.2.9
http-v1.*
http-v1.0.0
http-v1.0.1
http-v2.*
http-v2.0.0
http-v2.0.0-alpha.1
http-v2.0.0-alpha.2
http-v2.0.0-alpha.3
http-v2.0.0-alpha.4
http-v2.0.0-beta.1
http-v2.0.0-beta.2
http-v2.0.0-beta.3
http-v2.0.0-beta.4
identity-v0.*
identity-v0.1.0
identity-v0.2.0
identity-v0.2.1
multipart-v0.*
multipart-v0.1.0
multipart-v0.1.0-beta.1
multipart-v0.1.1
multipart-v0.1.2
multipart-v0.1.3
multipart-v0.1.4
multipart-v0.2.0
multipart-v0.3.0
multipart-v0.3.0-beta.1
multipart-v0.3.0-beta.2
session-v0.*
session-v0.1.0
session-v0.1.0-beta.2
session-v0.1.1
session-v0.2.0
session-v0.3.0
v0.*
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.1
v0.4.10
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.6.0
v0.6.1
v0.6.10
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.6.9
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.13
v0.7.14
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v1.*
v1.0.0-alpha.2
v1.0.0-alpha.3
v1.0.0-alpha.4
v1.0.0-alpha.5
v1.0.0-alpha.6
v1.0.0-beta.1
v2.*
v2.0.0-alpha.1
v2.0.0-alpha.3
web-v1.*
web-v1.0.0
web-v1.0.0-beta.2
web-v1.0.0-beta.3
web-v1.0.0-beta.4
web-v1.0.0-rc
web-v1.0.1
web-v1.0.2
web-v1.0.3
web-v1.0.4
web-v1.0.5
web-v1.0.6
web-v1.0.7
web-v1.0.8
web-v1.0.9
web-v2.*
web-v2.0.0
web-v2.0.0-rc
web-v3.*
web-v3.0.0
web-v3.0.0-alpha.1
web-v3.0.0-alpha.2
web-v3.0.0-alpha.3
web-v3.0.0-beta.1
web-v3.0.0-beta.2
web-v3.0.0-beta.3
web-v3.0.0-beta.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38512.json"