OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-02 06:51:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3338fcfb59cea5fcd7d2a4e7fe24cbc7cb778003
advisory-db/crates/hyper/RUSTSEC-2021-0079.md
Alexis Mousset 8c05fea5fa Add cvss information from nvd (#1085)
2021-10-19 16:14:35 -06:00

23 lines
1006 B
Markdown
Raw Blame History

```toml
[advisory]
id = "RUSTSEC-2021-0079"
package = "hyper"
date = "2021-07-07"
url = "https://github.com/hyperium/hyper/security/advisories/GHSA-5h46-h7hh-c6x9"
keywords = ["http", "parsing", "data loss"]
aliases = ["CVE-2021-32714", "GHSA-5h46-h7hh-c6x9"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
[versions]
patched = [">= 0.14.10"]
```
# Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss
When decoding chunk sizes that are too large, `hyper`'s code would encounter an integer overflow. Depending on the situation,
this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.
To be vulnerable, you must be using `hyper` for any HTTP/1 purpose, including as a client or server, and consumers must send
requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible,
any upstream proxies must accept a chunk size greater than 64 bits.
Reference in New Issue View Git Blame Copy Permalink