From 7a42cb7e088b5b77c5b40905d4b83139e5ea63e8 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Tue, 10 Aug 2021 10:11:38 +0100 Subject: [PATCH] add advisory for actix-http HRS (#977) * add actix-http HRS * Update RUSTSEC-0000-0000.md * Update RUSTSEC-0000-0000.md * Adjust version ranges to make a hypothetical 4.0.0 patched * drop nonexistent category Co-authored-by: Sergey "Shnatsel" Davidoff --- crates/actix-http/RUSTSEC-0000-0000.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 crates/actix-http/RUSTSEC-0000-0000.md diff --git a/crates/actix-http/RUSTSEC-0000-0000.md b/crates/actix-http/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..10862d2 --- /dev/null +++ b/crates/actix-http/RUSTSEC-0000-0000.md @@ -0,0 +1,16 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "actix-http" +date = "2021-06-16" +keywords = ["smuggling", "http", "reverse proxy", "request smuggling"] + +[versions] +patched = ["^ 2.2.1", ">= 3.0.0-beta.9"] +``` + +# Potential request smuggling capabilities due to lack of input validation + +Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable. + +Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.