Merge pull request #255 from DemiMarie-parity/smuggling

Add hyper request smuggling vulnerability
rustsec · Mar 31, 2020 · 66112b3 · 66112b3
2 parents 81193d1 + 91eed85
commit 66112b3
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/crates/hyper/RUSTSEC-0000-0000.toml b/crates/hyper/RUSTSEC-0000-0000.toml
@@ -0,0 +1,27 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hyper"
+date = "2020-03-19"
+title = "Flaw in hyper allows request smuggling by sending a body in GET requests"
+url = "https://github.com/hyperium/hyper/issues/1925"
+categories = ["format-injection"]
+keywords = ["http", "request-smuggling"]
+
+description = """
+Vulnerable versions of hyper allow GET requests to have bodies, even if there is
+no Transfer-Encoding or Content-Length header.  As per the HTTP 1.1
+specification, such requests do not have bodies, so the body will be interpreted
+as a separate HTTP request.
+
+This allows an attacker who can control the body and method of an HTTP request
+made by hyper to inject a request with headers that would not otherwise be
+allowed, as demonstrated by sending a malformed HTTP request from a Substrate
+runtime.  This allows bypassing CORS restrictions.  In combination with other
+vulnerabilities, such as an exploitable web server listening on loopback, it may
+allow remote code execution.
+
+The flaw was corrected in hyper version 0.12.35.
+"""
+
+[versions]
+patched = [">= 0.12.35"]