CVE-2021-32715

Lenient Parsing of Content-Length Header When Prefixed with Plus Sign

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix.

El código del servidor HTTP/1 de hyper presentaba un fallo que analizaba y aceptaba incorrectamente peticiones con una cabecera "Content-Length" con un signo más prefijado, cuando debería haber sido rechazada como ilegal. Esto, combinado con un proxy HTTP ascendente que no analiza dichas cabeceras "Content-Length", sino que las reenvía, puede resultar en "request smuggling" o "desync attacks". El fallo se presenta en todas las versiones de hyper anteriores a 0.14.10, si se construye con "rustc" versión v1.5.0 o más reciente. La vulnerabilidad está parcheada en la versión 0.14.10 de hyper. Se presentan dos soluciones: Uno puede rechazar manualmente las peticiones que contengan un prefijo de signo más en la cabecera "Content-Length" o asegurarse de que cualquier proxy upstream maneja las cabeceras "Content-Length" con un prefijo de signo más

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-07-07 CVE Published
2024-03-22 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/hyperium/hyper/security/advisories/GHSA-f3pg-qwvg-p99c	2024-08-03

URL	Date	SRC
https://github.com/rust-lang/rust/pull/28826/commits/123a83326fb95366e94a3be1a74775df4db97739	2021-07-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hyper Search vendor "Hyper"		Hyper Search vendor "Hyper" for product "Hyper"				< 0.14.10 Search vendor "Hyper" for product "Hyper" and version " < 0.14.10"		rust		Affected