Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2022-39294
HistoryOct 31, 2022 - 7:15 p.m.

CVE-2022-39294

2022-10-3119:15:10
CWE-1284
CWE-400
GitHub_M
web.nvd.nist.gov
41
5
cve-2022-39294
security
vulnerability
hyper
panic
request length
memory allocation
rust
crates.io

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, conduit-hyper did not check any limit on a request’s length before calling hyper::body::to_bytes. An attacker could send a malicious request with an abnormally large Content-Length, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, conduit-hyper sets an internal limit of 128 MiB per request, otherwise returning status 400 (“Bad Request”). This crate is part of the implementation of Rust’s crates.io, but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, conduit-hyper is not recommended for production use, nor to directly serve the public Internet.

Affected configurations

Nvd
Vulners
Node
conduit-hyper_projectconduit-hyperRange0.2.00.4.2rust
OR
conduit-hyper_projectconduit-hyperMatch0.2.0-rust
OR
conduit-hyper_projectconduit-hyperMatch0.2.0alpha3rust
OR
conduit-hyper_projectconduit-hyperMatch0.2.0alpha4rust
VendorProductVersionCPE
conduit-hyper_projectconduit-hyper*cpe:2.3:a:conduit-hyper_project:conduit-hyper:*:*:*:*:*:rust:*:*
conduit-hyper_projectconduit-hyper0.2.0cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.2.0:-:*:*:*:rust:*:*
conduit-hyper_projectconduit-hyper0.2.0cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.2.0:alpha3:*:*:*:rust:*:*
conduit-hyper_projectconduit-hyper0.2.0cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.2.0:alpha4:*:*:*:rust:*:*

CNA Affected

[
  {
    "vendor": "conduit-rust",
    "product": "conduit-hyper",
    "versions": [
      {
        "version": ">= 0.2.0-alpha.3, < 0.4.2",
        "status": "affected"
      }
    ]
  }
]

Social References

More

Related

nvd 1
prion 1
github 1
osv 3
rustsec 1
cvelist 1
nvd
nvd
CVE-2022-39294
2022-10-31 19:15:10
prion
prion
Design/Logic Flaw
2022-10-31 19:15:00
github
github
conduit-hyper vulnerable to Denial of Service from unchecked request length
2022-10-31 18:44:47
osv
osv
conduit-hyper vulnerable to Denial of Service from unchecked request length
2022-10-31 18:44:47
CVE-2022-39294
2022-10-31 19:15:10
Denial of Service from unchecked request length
2022-10-30 12:00:00
rustsec
rustsec
Denial of Service from unchecked request length
2022-10-30 12:00:00
cvelist
cvelist
CVE-2022-39294 (DoS) Denial of Service from unchecked request length in conduit-hyper
2022-10-31 00:00:00

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON
Related for CVE-2022-39294
nvd1prion1github1osv3rustsec1cvelist1