Reported

January 24, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

actix-http (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• CVE-2020-35901
• GHSA-v3j6-xf77-8r9c

References

• https://github.com/actix/actix-web/issues/1321

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=2.0.0-alpha.1

Description

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the trait MessageBody require Unpin and making poll_next() function accept Pin<&mut Self> instead of &mut self.

Advisory available under CC0-1.0 license.