Lucene search

GitHub_MCVELIST:CVE-2021-32742

HistoryJul 09, 2021 - 2:00 p.m.

CVE-2021-32742 Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash

2021-07-0914:00:11

CWE-502

GitHub_M

www.cve.org

untrusted data

data.init

base32encoded

vulnerability

vapor

swift

denial of service

patched

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

55.1%

JSON

Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor’s built-in Data.init(base32Encoded:).

CNA Affected

[
  {
    "product": "vapor",
    "vendor": "vapor",
    "versions": [
      {
        "status": "affected",
        "version": "<= 4.47.1"
      }
    ]
  }
]

References

github.com/vapor/vapor/releases/tag/4.47.2

github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmq

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

55.1%

JSON

Related for CVELIST:CVE-2021-32742