CVE-2022-3212

2022-09-1416:15:11

CWE-770

[email protected]

web.nvd.nist.gov

cve-2022-3212

memory exhaustion

unrestricted request

security vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

33.0%

JSON

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String

Affected configurations

NVD

Node

axum-core_projectaxum-coreRange<0.2.8rust

axum-core_projectaxum-coreMatch0.3.0rc1rust

CPENameOperatorVersion
axum-core_project:axum-coreaxum-core project axum-corelt0.2.8
axum-core_project:axum-coreaxum-core project axum-coreeq0.3.0

CPE	Name	Operator	Version
axum-core_project:axum-core	axum-core project axum-core	lt	0.2.8
axum-core_project:axum-core	axum-core project axum-core	eq	0.3.0

CNA Affected

[
  {
    "product": "axum-core",
    "vendor": "tokio-rs",
    "versions": [
      {
        "status": "affected",
        "version": "0.3.0-rc.1"
      },
      {
        "lessThan": "0.2.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]