Description
Affected versions of this crate use the `time` crate and the method
`Duration::seconds` to parse the `Max-Age` duration cookie setting. This method
will panic if the value is greater than 2^64/1000 and less than or equal to
2^64, which can result in denial of service for a client or server.
This flaw was corrected by explicitly checking for the `Max-Age` being in this
integer range and clamping the value to the maximum duration value.
Affected Software
Related
{"id": "OSV:RUSTSEC-2017-0005", "bulletinFamily": "software", "title": "Large cookie Max-Age values can cause a denial of service", "description": "Affected versions of this crate use the `time` crate and the method\n`Duration::seconds` to parse the `Max-Age` duration cookie setting. This method\nwill panic if the value is greater than 2^64/1000 and less than or equal to\n2^64, which can result in denial of service for a client or server.\n\nThis flaw was corrected by explicitly checking for the `Max-Age` being in this\ninteger range and clamping the value to the maximum duration value.", "published": "2017-05-06T12:00:00", "modified": "2021-10-19T22:14:35", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://osv.dev/vulnerability/RUSTSEC-2017-0005", "reporter": "Google", "references": ["https://crates.io/crates/cookie", "https://rustsec.org/advisories/RUSTSEC-2017-0005.html", "https://github.com/alexcrichton/cookie-rs/pull/86"], "cvelist": ["CVE-2017-18589"], "immutableFields": [], "type": "osv", "lastseen": "2022-05-11T21:34:34", "edition": 1, "viewCount": 1, "enchantments": {"affected_software": {"major_version": [{"name": "cookie", "version": 0}, {"name": "cookie", "version": 0}, {"name": "cookie", "version": 0}, {"name": "cookie", "version": 0}]}, "backreferences": {"references": [{"idList": ["RUSTSEC-2017-0005"], "type": "rustsec"}]}, "dependencies": {"references": [{"idList": ["CVE-2017-18589"], "type": "cve"}, {"idList": ["GHSA-VJRQ-CG9X-RFJP"], "type": "github"}, {"idList": ["OSV:GHSA-VJRQ-CG9X-RFJP"], "type": "osv"}, {"idList": ["DEBIANCVE:CVE-2017-18589"], "type": "debiancve"}, {"idList": ["RUSTSEC-2017-0005"], "type": "rustsec"}]}, "exploitation": null, "score": {"value": 4.1, "vector": "NONE"}, "epss": [{"cve": "CVE-2017-18589", "epss": "0.001030000", "percentile": "0.407160000", "modified": "2023-03-20"}], "vulnersScore": 4.1}, "_state": {"dependencies": 1659966727, "score": 1684016453, "affected_software_major_version": 1666695388, "epss": 1679326080}, "_internal": {"score_hash": "44ff2a1e69592953b2f35c7ee505d330"}, "affectedSoftware": [{"name": "cookie", "operator": "ge", "version": "0.6.0"}, {"name": "cookie", "operator": "lt", "version": "0.6.2"}, {"name": "cookie", "operator": "lt", "version": "0.7.6"}, {"name": "cookie", "operator": "ge", "version": "0.7.0-0"}]}
{"osv": [{"lastseen": "2022-05-11T21:47:36", "description": "An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2021-08-25T20:43:02", "type": "osv", "title": "Improper Input Validation in cookie", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18589"], "modified": "2021-08-19T21:25:22", "id": "OSV:GHSA-VJRQ-CG9X-RFJP", "href": "https://osv.dev/vulnerability/GHSA-vjrq-cg9x-rfjp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "rustsec": [{"lastseen": "2023-05-27T15:09:27", "description": "Affected versions of this crate use the `time` crate and the method\n`Duration::seconds` to parse the `Max-Age` duration cookie setting. This method\nwill panic if the value is greater than 2^64/1000 and less than or equal to\n2^64, which can result in denial of service for a client or server.\n\nThis flaw was corrected by explicitly checking for the `Max-Age` being in this\ninteger range and clamping the value to the maximum duration value.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-06T12:00:00", "type": "rustsec", "title": "Large cookie Max-Age values can cause a denial of service", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18589"], "modified": "2021-10-19T22:14:35", "id": "RUSTSEC-2017-0005", "href": "https://rustsec.org/advisories/RUSTSEC-2017-0005", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "github": [{"lastseen": "2023-05-27T15:15:47", "description": "An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-25T20:43:02", "type": "github", "title": "Improper Input Validation in cookie", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18589"], "modified": "2023-01-11T05:06:02", "id": "GHSA-VJRQ-CG9X-RFJP", "href": "https://github.com/advisories/GHSA-vjrq-cg9x-rfjp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2023-05-27T14:49:49", "description": "An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-08-26T18:15:00", "type": "cve", "title": "CVE-2017-18589", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18589"], "modified": "2019-08-30T13:21:00", "cpe": [], "id": "CVE-2017-18589", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18589", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}], "debiancve": [{"lastseen": "2023-05-27T15:16:12", "description": "An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-08-26T18:15:00", "type": "debiancve", "title": "CVE-2017-18589", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18589"], "modified": "2019-08-26T18:15:00", "id": "DEBIANCVE:CVE-2017-18589", "href": "https://security-tracker.debian.org/tracker/CVE-2017-18589", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
Large cookie Max-Age values can cause a denial of service
