RUSTSEC-2020-0031

Source
https://rustsec.org/advisories/RUSTSEC-2020-0031
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0031.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2020-0031
Aliases
Published
2020-06-16T12:00:00Z
Modified
2023-11-08T04:03:37.438533Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
HTTP Request smuggling through malformed Transfer Encoding headers
Details

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing.

It is possible conduct HTTP request smuggling attacks (CL:TE/TE:TE) by sending invalid Transfer Encoding headers.

By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / tiny_http

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.6.3
Introduced
0.7.0-0
Fixed
0.8.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "informational": null,
    "categories": []
}