RUSTSEC-2021-0020

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2021-0020

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0020.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2021-0020

Aliases

Published

2021-02-05T12:00:00Z

Modified

2023-11-08T04:04:40.665260Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Multiple Transfer-Encoding headers misinterprets request payload

Details

hyper's HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks".

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / hyper

Package

Name: hyper; View open source insights on deps.dev
Purl: pkg:cargo/hyper

Affected ranges

Type: SEMVER
Events: Introduced

0.12.0

Fixed

0.12.36

Introduced

0.13.0-0

Fixed

0.13.10

Introduced

0.14.0-0

Fixed

0.14.3

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "informational": null,
    "categories": [
        "format-injection"
    ]
}