CVE-2021-32715 Vulnerability Details

  /     /     /  

CVE-2021-32715 Metadata Quick Info

CVE Published: 07/07/2021 | CVE Updated: 03/08/2024 | CVE Year: 2021
Source: GitHub_M | Vendor: hyperium | Product: hyper
Status : PUBLISHED

---

CVE-2021-32715 Description

hyper is an HTTP library for rust. hyper\'s HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn\'t parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix.

Metrics

CVSS Version: 3.1 | Base Score: 3.1 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-444
CWE Name: CWE-444: Inconsistent Interpretation of HTTP Requests ( HTTP Request Smuggling )
Source: hyperium

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).