From 91eed8534666cc93b27fd06bf768d1eb4e28e6ee Mon Sep 17 00:00:00 2001 From: "Demi M. Obenour" Date: Mon, 30 Mar 2020 18:57:51 -0400 Subject: [PATCH] Note that another vulnerability is needed for RCE Also make some trivial changes to pass the linter. --- ...TSEC-2020-0000.toml => RUSTSEC-0000-0000.toml} | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) rename crates/hyper/{RUSTSEC-2020-0000.toml => RUSTSEC-0000-0000.toml} (59%) diff --git a/crates/hyper/RUSTSEC-2020-0000.toml b/crates/hyper/RUSTSEC-0000-0000.toml similarity index 59% rename from crates/hyper/RUSTSEC-2020-0000.toml rename to crates/hyper/RUSTSEC-0000-0000.toml index 5eaefdd8..ff01c881 100644 --- a/crates/hyper/RUSTSEC-2020-0000.toml +++ b/crates/hyper/RUSTSEC-0000-0000.toml @@ -1,6 +1,3 @@ -# Before you submit a PR using this template, **please delete the comments** -# explaining each field, as well as any unused fields. - [advisory] id = "RUSTSEC-0000-0000" package = "hyper" @@ -10,11 +7,6 @@ url = "https://github.com/hyperium/hyper/issues/1925" categories = ["format-injection"] keywords = ["http", "request-smuggling"] -# Vulnerability aliases, e.g. CVE IDs (optional but recommended) -# Request a CVE for your RustSec vulns: https://iwantacve.org/ -#aliases = ["CVE-2018-XXXX"] - -# Enter a short-form description of the vulnerability here (mandatory) description = """ Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 @@ -24,13 +16,12 @@ as a separate HTTP request. This allows an attacker who can control the body and method of an HTTP request made by hyper to inject a request with headers that would not otherwise be allowed, as demonstrated by sending a malformed HTTP request from a Substrate -runtime. This allows bypassing CORS restrictions and may allow remote code -execution in certain scenarios, such as if there is an exploitable web server -listening on loopback. +runtime. This allows bypassing CORS restrictions. In combination with other +vulnerabilities, such as an exploitable web server listening on loopback, it may +allow remote code execution. The flaw was corrected in hyper version 0.12.35. """ -# Versions which include fixes for this vulnerability (mandatory) [versions] patched = [">= 0.12.35"]