CVE-2021-32742

Опубликовано: 09 июл. 2021

Источник: nvd

CVSS3: 7.5

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in Data.init(base32Encoded:).

Ссылки

https://github.com/vapor/vapor/releases/tag/4.47.2
Release Notes
Third Party Advisory
https://github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmq
Third Party Advisory
https://github.com/vapor/vapor/releases/tag/4.47.2
Release Notes
Third Party Advisory
https://github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmq
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vapor_project:vapor:*:*:*:*:*:swift:*:*

Версия до 4.47.2 (исключая)

EPSS

Процентиль: 59%

0.00374

Низкий

7.5 High

CVSS3

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-502

Связанные уязвимости

GHSA-pqwh-c2f3-vxmq

github

больше 2 лет назад

Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash

EPSS

Процентиль: 59%

0.00374

Низкий

7.5 High

CVSS3

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-502