OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-07 04:01:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #757 from seanmonstar/hyper-wrong-chunked

Browse Source 
Add hyper wrong transfer-encoding advisory
This commit is contained in:
Sergey "Shnatsel" Davidoff
2021-02-06 00:02:59 +01:00
committed by GitHub
parent 24aaac905f c55cf597e8
commit 9007ee7267
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
crates/hyper/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,22 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "hyper"
date = "2021-02-05"
url = "https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf"
categories = ["format-injection"]
keywords = ["http", "request-smuggling"]
aliases = ["CVE-2021-21299"]
[versions]
patched = [">= 0.14.3", "0.13.10"]
unaffected = ["< 0.12.0"]
```
# Multiple Transfer-Encoding headers misinterprets request payload
hyper's HTTP server code had a flaw that incorrectly understands some requests
with multiple transfer-encoding headers to have a chunked payload, when it
should have been rejected as illegal. This combined with an upstream HTTP proxy
that understands the request payload boundary differently can result in
"request smuggling" or "desync attacks".