OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-04 18:50:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
d8701fad2d40aeca8e8564692f14a8d7c30a5136
advisory-db/crates/tiny_http/RUSTSEC-2020-0031.md
Richard Bradfield 60455ec8b1 Mark patched tiny-http version for 2020-0031 (#875) 
* Mark patched tiny-http version for 2020-0031

A backport of the fix for 2020-0031 has been applied to the 0.6.x
branch, starting at 0.6.3, subsequent 0.6 versions are no longer
vulnerable.

* Fix version specification

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
2021-04-16 13:27:30 +02:00

734 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2020-0031"
package = "tiny_http"
aliases = ["CVE-2020-35884"]
date = "2020-06-16"
keywords = ["http", "request-smuggling"]
url = "https://github.com/tiny-http/tiny-http/issues/173"

[versions]
patched = [">= 0.8.0", "^0.6.3"]

HTTP Request smuggling through malformed Transfer Encoding headers

HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing.

It is possible conduct HTTP request smuggling attacks (CL:TE/TE:TE) by sending invalid Transfer Encoding headers.

By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.