OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-23 20:05:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Assigned RUSTSEC-2021-0079 to hyper (#973)

Browse Source 
Co-authored-by: tarcieri <tarcieri@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2021-08-08 12:41:08 -07:00
committed by GitHub
parent 3a5de9c7b5
commit 82ce1aa716
2 changed files with 22 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.duplicate-id-guard
View File

@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
8774b8ca3f52e5e81096af4b1102d97953873237a02fcda2b894a4980646b5db -
cff9f66e36ad0e534c0ec14edae51f51b0d9437fee65d73d2e6c1fb360dbe013 -

42
crates/hyper/RUSTSEC-0000-0000.md → crates/hyper/RUSTSEC-2021-0079.md
View File

@@ -1,21 +1,21 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "hyper"
date = "2021-07-07"
url = "https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9"
keywords = ["http", "parsing", "data loss"]
aliases = ["CVE-2021-32714", "GHSA-5h46-h7hh-c6x9"]
[versions]
patched = [">= 0.14.10"]
```
# Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
When decoding chunk sizes that are too large, `hyper`'s code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.
To be vulnerable, you must be using `hyper` for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.
```toml
[advisory]
id = "RUSTSEC-2021-0079"
package = "hyper"
date = "2021-07-07"
url = "https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9"
keywords = ["http", "parsing", "data loss"]
aliases = ["CVE-2021-32714", "GHSA-5h46-h7hh-c6x9"]
[versions]
patched = [">= 0.14.10"]
```
# Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
When decoding chunk sizes that are too large, `hyper`'s code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.
To be vulnerable, you must be using `hyper` for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.