OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-18 09:24:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add hyper wrong transfer-encoding advisory

Browse Source
This commit is contained in:
Sean McArthur
2021-02-05 14:57:30 -08:00
parent 24aaac905f
commit c55cf597e8
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
crates/hyper/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,22 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "hyper"
date = "2021-02-05"
url = "https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf"
categories = ["format-injection"]
keywords = ["http", "request-smuggling"]
aliases = ["CVE-2021-21299"]
[versions]
patched = [">= 0.14.3", "0.13.10"]
unaffected = ["< 0.12.0"]
```
# Multiple Transfer-Encoding headers misinterprets request payload
hyper's HTTP server code had a flaw that incorrectly understands some requests
with multiple transfer-encoding headers to have a chunked payload, when it
should have been rejected as illegal. This combined with an upstream HTTP proxy
that understands the request payload boundary differently can result in
"request smuggling" or "desync attacks".