GHSA-7vm6-qwh5-9x44
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7vm6-qwh5-9x44
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-7vm6-qwh5-9x44/GHSA-7vm6-qwh5-9x44.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7vm6-qwh5-9x44
- Aliases
- Published
- 2024-11-04T23:22:33Z
- Modified
- 2024-11-05T18:35:38Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- loona-hpack Panic Vulnerability
- Details
-
Summary
loona-hpacksuffers from the same vulnerability as the originalhpackas documented in https://github.com/mlalic/hpack-rs/issues/11Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
use loona_hpack::Decoder; pub fn main() { let input = &[0x3f]; let mut decoder = Decoder::new(); let _ = decoder.decode(input); }Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information. - References
-
- https://github.com/bearcove/loona/security/advisories/GHSA-7vm6-qwh5-9x44
- https://nvd.nist.gov/vuln/detail/CVE-2024-51502
- https://github.com/mlalic/hpack-rs/issues/11
- https://github.com/bearcove/loona/commit/9a4028ec6484f50a320281271a41a5040ddb1ba8
- https://github.com/advisories/GHSA-w7hm-hmxv-pvhf
- https://github.com/bearcove/loona
Affected packages
crates.io / loona-hpack
Package
- Name
- loona-hpack
- View open source insights on deps.dev
- Purl
- pkg:cargo/loona-hpack