CVE-2021-32715
Summary
| CVE | CVE-2021-32715 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-07-07 20:15:00 UTC |
| Updated | 2021-07-22 12:49:00 UTC |
| Description | hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix. |
Risk And Classification
Problem Types: CWE-444
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Lenient Parsing of Content-Length Header When Prefixed with Plus Sign · Advisory · hyperium/hyper · GitHub | CONFIRM | github.com | |
| Integer parsing should accept leading plus by arthurprs · Pull Request #28826 · rust-lang/rust · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 182602 Debian Security Update for rust-hyper (CVE-2021-32715)