OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-01 01:00:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

add advisory for actix-http HRS (#977)

Browse Source 
* add actix-http HRS

* Update RUSTSEC-0000-0000.md

* Update RUSTSEC-0000-0000.md

* Adjust version ranges to make a hypothetical 4.0.0 patched

* drop nonexistent category

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
This commit is contained in:
Rob Ede
2021-08-10 10:11:38 +01:00
committed by GitHub
parent 541c537a23
commit 7a42cb7e08
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
crates/actix-http/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,16 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "actix-http"
date = "2021-06-16"
keywords = ["smuggling", "http", "reverse proxy", "request smuggling"]
[versions]
patched = ["^ 2.2.1", ">= 3.0.0-beta.9"]
```
# Potential request smuggling capabilities due to lack of input validation
Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.
Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.