HistoryEditJSON (OSV)

RUSTSEC-2017-0002

headers containing newline characters can split messages

Reported
Issued
Package
hyper (crates.io)
Type
Vulnerability
Aliases
References
CVSS Score
5.3 MEDIUM
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Patched
  • >=0.10.2
  • <0.10.0, >=0.9.18

Description

Serializing of headers to the socket did not filter the values for newline bytes (\r or \n), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input.

This issue was fixed by replacing all newline characters with a space during serialization of a header value.

Advisory available under CC0-1.0 license.