Lucene search
PRIOn knowledge basePRION:CVE-2021-32715HistoryJul 07, 2021 - 8:15 p.m.
Design/Logic Flaw
2021-07-0720:15:00
PRIOn knowledge base
www.prio-n.com
2
hyper is an HTTP library for rust. hyper’s HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn’t parse such Content-Length headers, but forwards them, can result in “request smuggling” or “desync attacks”. The flaw exists in all prior versions of hyper prior to 0.14.10, if built with rustc v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the Content-Length header or ensure any upstream proxy handles Content-Length headers with a plus sign prefix.
Related
ubuntucve
ubuntucve
CVE-2021-32715
2021-07-07 00:00:00
nvd
nvd
CVE-2021-32715
2021-07-07 20:15:08
github
github
Lenient Parsing of Content-Length Header When Prefixed with Plus Sign
2021-07-12 16:54:20
debiancve
debiancve
CVE-2021-32715
2021-07-07 20:15:08
redhatcve
redhatcve
CVE-2021-32715
2022-05-20 23:02:50
cvelist
cvelist
cve
cve
CVE-2021-32715
2021-07-07 20:15:08
rustsec
rustsec
osv
osv
Lenient Parsing of Content-Length Header When Prefixed with Plus Sign
2021-07-12 16:54:20
CVE-2021-32715
2021-07-07 20:15:08