OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-05 19:20:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3338fcfb59cea5fcd7d2a4e7fe24cbc7cb778003
advisory-db/crates/hyper/RUSTSEC-2017-0002.md
Alexis Mousset 84c633df9c Update aliases from GHSA OSV export (#1693)
2023-06-13 15:10:24 +02:00

23 lines
843 B
Markdown
Raw Blame History

```toml
[advisory]
id = "RUSTSEC-2017-0002"
package = "hyper"
aliases = ["CVE-2017-18587", "GHSA-q89x-f52w-6hj2"]
cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
date = "2017-01-23"
url = "https://github.com/hyperium/hyper/wiki/Security-001"
[versions]
patched = [">= 0.10.2", "< 0.10.0, >= 0.9.18"]
```
# headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes (`\r` or `\n`),
which allowed for header values to split a request or response. People would not likely include
newlines in the headers in their own applications, so the way for most people to exploit this
is if an application constructs headers based on unsanitized user input.
This issue was fixed by replacing all newline characters with a space during serialization of
a header value.
Reference in New Issue View Git Blame Copy Permalink