4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%
hyper is an HTTP library for rust. hyper’s HTTP/1 server code had a flaw
that incorrectly parses and accepts requests with a Content-Length
header
with a prefixed plus sign, when it should have been rejected as illegal.
This combined with an upstream HTTP proxy that doesn’t parse such
Content-Length
headers, but forwards them, can result in “request
smuggling” or “desync attacks”. The flaw exists in all prior versions of
hyper prior to 0.14.10, if built with rustc
v1.5.0 or newer. The
vulnerability is patched in hyper version 0.14.10. Two workarounds exist:
One may reject requests manually that contain a plus sign prefix in the
Content-Length
header or ensure any upstream proxy handles
Content-Length
headers with a plus sign prefix.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | rust-hyper | < any | UNKNOWN |
github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c
github.com/rust-lang/rust/pull/28826/commits/123a83326fb95366e94a3be1a74775df4db97739
launchpad.net/bugs/cve/CVE-2021-32715
nvd.nist.gov/vuln/detail/CVE-2021-32715
rustsec.org/advisories/RUSTSEC-2021-0078.html
security-tracker.debian.org/tracker/CVE-2021-32715
www.cve.org/CVERecord?id=CVE-2021-32715
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%