CVE-2023-44386 Incorrect request error handling triggers server crash in Vapor

2023-10-0517:41:38

CWE-696

CWE-231

CWE-617

GitHub_M

github.com

vapor

http web framework

denial of service

vulnerability

http1 error handler

server crash

fix

release 4.84.2

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

Confidence

High

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:vapor:vapor:*:*:*:*:*:*:*:*"
    ],
    "vendor": "vapor",
    "product": "vapor",
    "versions": [
      {
        "status": "affected",
        "version": "4.83.2",
        "lessThan": "4.84.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]