CVE-2017-18587

MEDIUM5.3EPSS 0.21%

headers containing newline characters can split messages

發布日:2021/8/25修改日:2023/11/8

也稱為:GHSA-q89x-f52w-6hj2RUSTSEC-2017-0002

描述

Serializing of headers to the socket did not filter the values for newline bytes (`\r` or `\n`), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input. This issue was fixed by replacing all newline characters with a space during serialization of a header value.

受影響套件(2)

crates.io/hyper>= 0.10.0, < 0.10.2
crates.io/hyper>= 0.0.0-0, < 0.9.18, >= 0.10.0, < 0.10.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-18587
PATCHhttps://crates.io/crates/hyper
PATCHhttps://github.com/hyperium/hyper
WEBhttps://github.com/hyperium/hyper/wiki/Security-001
WEBhttps://rustsec.org/advisories/RUSTSEC-2017-0002.html