GHSA-7vm6-qwh5-9x44

Опубликовано: 04 нояб. 2024

Источник: github

Github: Прошло ревью

CVSS4: 5.1

CVSS3: 4.3

Описание

loona-hpack Panic Vulnerability

Summary

loona-hpack suffers from the same vulnerability as the original hpack as documented in https://github.com/mlalic/hpack-rs/issues/11

Details

The original includes a very nice description of the problem, as well as an easy-enough fix for it.

PoC

The original example pretty much still applies:

use loona_hpack::Decoder; pub fn main() { let input = &[0x3f]; let mut decoder = Decoder::new(); let _ = decoder.decode(input); }

Impact

From the original: All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.

Ссылки

Пакеты

Наименование

loona-hpack

rust

Затронутые версииВерсия исправления

<= 0.4.2

0.4.3

EPSS

Процентиль: 45%

0.00224

Низкий

5.1 Medium

CVSS4

4.3 Medium

CVSS3

CVE ID

CVE-2024-51502

Дефекты

CWE-754

CWE-755

Связанные уязвимости

CVE-2024-51502

nvd

больше 1 года назад

loona is an experimental, HTTP/1.1 and HTTP/2 implementation in Rust on top of io-uring. `loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in issue #11. All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. This issue has been addressed in release version 0.4.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS

Процентиль: 45%

0.00224

Низкий

5.1 Medium

CVSS4

4.3 Medium

CVSS3

CVE ID

CVE-2024-51502

Дефекты

CWE-754

CWE-755