GHSA-mgc4-wqv7-4pxm

Source

https://github.com/advisories/GHSA-mgc4-wqv7-4pxm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-mgc4-wqv7-4pxm/GHSA-mgc4-wqv7-4pxm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mgc4-wqv7-4pxm

Published

2023-05-18T17:29:43Z

Modified

2023-05-18T17:29:43Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SwiftNIO vulnerable to HTTP request smuggling using malformed Transfer-Encoding header

Details

Impact

Affected SwiftNIO systems are vulnerable to request smuggling attacks, in which they parse a given HTTP message differently from other network parties, potentially seeing a different number of requests than other servers. This can lead to failures of authentication, routing, and other issues.

This vulnerability can be found in the bundled copy of the Node.JS HTTP parser used in the NIOHTTP1 module.

Workarounds

No workaround is available, users must upgrade.

References

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#http-request-smuggling-using-malformed-transfer-encoding-header-critical-cve-2019-15605

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-444"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-18T17:29:43Z"
}

References

Affected packages

SwiftURL / github.com/apple/swift-nio

Package

Name: github.com/apple/swift-nio
Purl: pkg:swift/github.com/apple/swift-nio

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

1.14.2

SwiftURL / github.com/apple/swift-nio

Package

Name: github.com/apple/swift-nio
Purl: pkg:swift/github.com/apple/swift-nio

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.13.1