hyper hyper http请求的解释不一致性(http请求私运)

admin
admin
admin
0
文章
0
评论
2023-12-01 16:19:28 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
中危 hyper hyper http请求的解释不一致性(http请求私运)

CVE编号

CVE-2021-21299

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-02-12
漏洞描述
hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://crates.io/crates/hyper
https://github.com/hyperium/hyper/commit/8f93123efef5c1361086688fe4f34c83c89cec02
https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
https://rustsec.org/advisories/RUSTSEC-2021-0020.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 hyper hyper * From (including) 0.12.0 Up to (excluding) 0.13.10
运行在以下环境
应用 hyper hyper * From (including) 0.14.0 Up to (excluding) 0.14.3
运行在以下环境
系统 debian_12 rust-hyper * Up to (excluding) 0.14.19-1
运行在以下环境
系统 debian_sid rust-hyper * Up to (excluding) 0.14.19-1
阿里云评分 5.5
  • 攻击路径 远程
  • 攻击复杂度 复杂
  • 权限要求 无需权限
  • 影响范围 越权影响
  • EXP成熟度 N/A
  • 补丁情况 官方补丁
  • 数据保密性 数据泄露
  • 数据完整性 传输被破坏
  • 服务器危害 无影响
  • 全网数量 N/A
CWE-ID 漏洞类型
CWE-444 HTTP请求的解释不一致性(HTTP请求私运)
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
N/A Ali_nvd

N/A

N/ACVE编号 CVE-2024-9120利用情况 暂无补丁情况 N/A披露时间 2024-09-23漏洞描述Use after free in Dawn
09-260 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0