Lucene search

[email protected]CVE-2021-32715

HistoryJul 07, 2021 - 8:15 p.m.

CVE-2021-32715

2021-07-0720:15:08

CWE-444

[email protected]

web.nvd.nist.gov

hyper

http library

rust

cve-2021-32715

vulnerability

request smuggling

desync attacks

content-length header

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.8%

JSON

hyper is an HTTP library for rust. hyper’s HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn’t parse such Content-Length headers, but forwards them, can result in “request smuggling” or “desync attacks”. The flaw exists in all prior versions of hyper prior to 0.14.10, if built with rustc v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the Content-Length header or ensure any upstream proxy handles Content-Length headers with a plus sign prefix.

Affected configurations

Vulners

NVD

Node

hyperiumhyperRange<0.14.10

CPENameOperatorVersion
hyper:hyperhyperlt0.14.10

CPE	Name	Operator	Version
hyper:hyper	hyper	lt	0.14.10

CNA Affected

[
  {
    "product": "hyper",
    "vendor": "hyperium",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.14.10"
      }
    ]
  }
]