CVE-2021-32715

LOW3.1EPSS 0.29%

Lenient `hyper` header parsing of `Content-Length` could allow request smuggling

發布日:2021/7/12修改日:2023/11/8

也稱為:GHSA-f3pg-qwvg-p99cCGA-4r22-5fcr-wpv3RUSTSEC-2021-0078

描述

`hyper`'s HTTP header parser accepted, according to RFC 7230, illegal contents inside `Content-Length` headers. Due to this, upstream HTTP proxies that ignore the header may still forward them along if it chooses to ignore the error. To be vulnerable, `hyper` must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.

受影響套件(3)

crates.io/hyperfrom 0, < 0.14.10
crates.io/hyper>= 0.0.0-0, < 0.14.10
Debian/rust-hyperfrom 0, < 0.14.19-1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

參考連結(8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32715
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-32715
PATCHhttps://crates.io/crates/hyper
PATCHhttps://github.com/hyperium/hyper
WEBhttps://github.com/hyperium/hyper/commit/1fb719e0b61a4f3d911562a436a2ff05fd7cb759
WEBhttps://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c
WEBhttps://github.com/rust-lang/rust/pull/28826/commits/123a83326fb95366e94a3be1a74775df4db97739
WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0078.html