Project

General

Profile

Actions

Bug #18903

closed

Vulnerabilities in relayd hyper dependency

Added by Alexis Mousset almost 4 years ago. Updated over 3 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description


07:42:33 error[A001]: Multiple Transfer-Encoding headers misinterprets request payload
07:42:33    ┌─ /home/jenkins/workspace/rudder-relayd-6.1/relay/sources/relayd/Cargo.lock:76:1
07:42:33    │
07:42:33 76 │ hyper 0.12.35 registry+https://github.com/rust-lang/crates.io-index
07:42:33    │ ------------------------------------------------------------------- security vulnerability detected
07:42:33    │
07:42:33    = ID: RUSTSEC-2021-0020
07:42:33    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0020
07:42:33    = hyper's HTTP server code had a flaw that incorrectly understands some requests
07:42:33      with multiple transfer-encoding headers to have a chunked payload, when it
07:42:33      should have been rejected as illegal. This combined with an upstream HTTP proxy
07:42:33      that understands the request payload boundary differently can result in
07:42:33      "request smuggling" or "desync attacks".
07:42:33    = Announcement: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
07:42:33    = Solution: Upgrade to >=0.14.3 OR >=0.13.10, <0.14.0
07:42:33    = hyper v0.12.35
07:42:33      ├── hyper-tls v0.3.2
07:42:33      │   └── reqwest v0.9.24
07:42:33      │       └── relayd v0.0.0-dev
07:42:33      ├── relayd v0.0.0-dev (*)
07:42:33      ├── reqwest v0.9.24 (*)
07:42:33      └── warp v0.1.22
07:42:33          └── relayd v0.0.0-dev (*)
Actions

Also available in: Atom PDF