search

lukebrogan-mend / vulnerable-rust

0 stars 0 forks source link

hyper-0.13.5.crate: 18 vulnerabilities (highest severity is: 9.3) #39

Open mend-for-github-com[bot] opened 2 years ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - hyper-0.13.5.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (hyper version) Remediation Possible** Reachability
WS-2023-0027 Critical 9.3 Not Defined tokio-0.2.21.crate Transitive N/A*
CVE-2021-45710 Critical 9.2 Not Defined 0.2% tokio-0.2.21.crate Transitive N/A*
CVE-2023-26964 High 8.7 Not Defined 0.1% detected in multiple dependencies Transitive N/A*
CVE-2020-35906 High 8.5 Not Defined 0.1% futures-task-0.3.5.crate Transitive N/A*
CVE-2022-31394 High 8.2 Not Defined 0.1% hyper-0.13.5.crate Direct hyper - v0.14.19
CVE-2021-38191 High 8.2 Not Defined 0.1% tokio-0.2.21.crate Transitive N/A*
CVE-2021-32714 High 8.2 Not Defined 0.1% hyper-0.13.5.crate Direct hyper - 0.14.10
CVE-2020-36471 High 8.2 Not Defined 0.1% generator-0.6.21.crate Transitive N/A*
WS-2022-0132 High 7.5 Not Defined hyper-0.13.5.crate Direct hyper - 0.14.12
CVE-2020-35922 Medium 6.8 Not Defined 0.0% mio-0.6.22.crate Transitive N/A*
CVE-2020-35921 Medium 6.8 Not Defined 0.0% miow-0.2.1.crate Transitive N/A*
CVE-2020-35920 Medium 6.8 Not Defined 0.0% net2-0.2.34.crate Transitive N/A*
CVE-2020-35919 Medium 6.8 Not Defined 0.0% net2-0.2.34.crate Transitive N/A*
CVE-2021-21299 Medium 6.3 Not Defined 0.3% hyper-0.13.5.crate Direct hyper - 0.13.10,0.14.3
CVE-2020-35905 Medium 5.7 Not Defined 0.0% futures-util-0.3.5.crate Transitive N/A*
WS-2020-0404 Medium 5.3 Not Defined net2-0.2.34.crate Transitive N/A*
WS-2020-0189 Medium 5.3 Not Defined futures-util-0.3.5.crate Transitive N/A*
CVE-2023-22466 Medium 5.3 Not Defined 0.1% tokio-0.2.21.crate Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0027 ### Vulnerable Library - tokio-0.2.21.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

A soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.

Publish Date: 2023-02-02

URL: WS-2023-0027

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 4 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2023-0005.html

Release Date: 2023-02-02

Fix Resolution: tokio - 1.18.5,1.20.4,1.24.2

CVE-2021-45710 ### Vulnerable Library - tokio-0.2.21.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption. Mend Note: Converted from WS-2021-0424, on 2022-11-07.

Publish Date: 2021-12-26

URL: CVE-2021-45710

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 4 Score Details (9.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0124.html

Release Date: 2021-12-27

Fix Resolution: tokio - 1.8.4,1.13.1

CVE-2023-26964 ### Vulnerable Libraries - h2-0.2.5.crate, hyper-0.13.5.crate

### h2-0.2.5.crate

An HTTP/2.0 client and server

Library home page: https://crates.io/api/v1/crates/h2/0.2.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **h2-0.2.5.crate** (Vulnerable Library) ### hyper-0.13.5.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

Publish Date: 2023-04-11

URL: CVE-2023-26964

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-f8vr-r385-rh5r

Release Date: 2023-04-11

Fix Resolution: h2 - 0.3.17

CVE-2020-35906 ### Vulnerable Library - futures-task-0.3.5.crate

Tools for working with tasks.

Library home page: https://crates.io/api/v1/crates/futures-task/0.3.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - futures-util-0.3.5.crate - :x: **futures-task-0.3.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the futures-task crate before 0.3.6 for Rust. futures_task::waker may cause a use-after-free in a non-static type situation. Mend Note: Converted from WS-2020-0237, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35906

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-r93v-9p5q-vhpf

Release Date: 2020-12-31

Fix Resolution: futures-task - 0.3.6

CVE-2022-31394 ### Vulnerable Library - hyper-0.13.5.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.

Publish Date: 2023-02-21

URL: CVE-2022-31394

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-02-21

Fix Resolution: hyper - v0.14.19

CVE-2021-38191 ### Vulnerable Library - tokio-0.2.21.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread. Mend Note: Converted from WS-2021-0178, on 2021-08-09.

Publish Date: 2021-08-08

URL: CVE-2021-38191

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0072.html

Release Date: 2021-08-08

Fix Resolution: tokio - 1.5.1,1.6.3,1.7.2, 1.8.1

CVE-2021-32714 ### Vulnerable Library - hyper-0.13.5.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a `Transfer-Encoding` header or ensure any upstream proxy rejects `Transfer-Encoding` chunk sizes greater than what fits in 64-bit unsigned integers.

Publish Date: 2021-07-07

URL: CVE-2021-32714

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32714

Release Date: 2021-07-07

Fix Resolution: hyper - 0.14.10

CVE-2020-36471 ### Vulnerable Library - generator-0.6.21.crate

Stackfull Generator Library in Rust

Library home page: https://crates.io/api/v1/crates/generator/0.6.21/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - bytes-0.5.5.crate - loom-0.3.4.crate - :x: **generator-0.6.21.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the generator crate before 0.7.0 for Rust. It does not ensure that a function (for yielding values) has Send bounds. Mend Note: Converted from WS-2020-0290, on 2021-08-09.

Publish Date: 2021-08-08

URL: CVE-2020-36471

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0151.html

Release Date: 2021-08-08

Fix Resolution: generator - 0.7.0

WS-2022-0132 ### Vulnerable Library - hyper-0.13.5.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

The parser in Hyper before 0.14.12 creates invalid uninitialized value. Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null

Publish Date: 2022-05-10

URL: WS-2022-0132

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2022-0022.html

Release Date: 2022-05-10

Fix Resolution: hyper - 0.14.12

CVE-2020-35922 ### Vulnerable Library - mio-0.6.22.crate

Lightweight non-blocking IO

Library home page: https://crates.io/api/v1/crates/mio/0.6.22/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - :x: **mio-0.6.22.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the mio crate before 0.7.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0225, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35922

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 4 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0081.html

Release Date: 2020-12-31

Fix Resolution: 0.7.6

CVE-2020-35921 ### Vulnerable Library - miow-0.2.1.crate

A zero overhead I/O library for Windows, focusing on IOCP and Async I/O abstractions.

Library home page: https://crates.io/api/v1/crates/miow/0.2.1/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **miow-0.2.1.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the miow crate before 0.3.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0229, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35921

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 4 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0080.html

Release Date: 2020-12-31

Fix Resolution: miow - 0.2.2,0.3.6

CVE-2020-35920 ### Vulnerable Library - net2-0.2.34.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.34/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **net2-0.2.34.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the socket2 crate before 0.3.16 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0230, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35920

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 4 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-458v-4hrf-g3m4

Release Date: 2020-12-31

Fix Resolution: net2 - 0.2.36, socket2 - 0.3.16

CVE-2020-35919 ### Vulnerable Library - net2-0.2.34.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.34/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **net2-0.2.34.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the net2 crate before 0.2.36 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0231, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35919

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 4 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html

Release Date: 2020-12-31

Fix Resolution: net2 - 0.2.36

CVE-2021-21299 ### Vulnerable Library - hyper-0.13.5.crate

A fast and correct HTTP library.

Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly.

Publish Date: 2021-02-11

URL: CVE-2021-21299

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

### CVSS 4 Score Details (6.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0020.html

Release Date: 2021-02-11

Fix Resolution: hyper - 0.13.10,0.14.3

CVE-2020-35905 ### Vulnerable Library - futures-util-0.3.5.crate

Common utilities and extension traits for the futures-rs library.

Library home page: https://crates.io/api/v1/crates/futures-util/0.3.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - :x: **futures-util-0.3.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the futures-util crate before 0.3.7 for Rust. MutexGuard::map can cause a data race for certain closure situations (in safe code).

Publish Date: 2020-12-31

URL: CVE-2020-35905

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 4 Score Details (5.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0059.html

Release Date: 2020-12-31

Fix Resolution: futures-util - 0.3.7

WS-2020-0404 ### Vulnerable Library - net2-0.2.34.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.34/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **net2-0.2.34.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

The net2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens. Fixed in version 0.2.36.

Publish Date: 2020-11-07

URL: WS-2020-0404

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html

Release Date: 2020-11-07

Fix Resolution: net2 - 0.2.36

WS-2020-0189 ### Vulnerable Library - futures-util-0.3.5.crate

Common utilities and extension traits for the futures-rs library.

Library home page: https://crates.io/api/v1/crates/futures-util/0.3.5/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - :x: **futures-util-0.3.5.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

Affected versions of futures-rs had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U. This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T. The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too. This is affecting future-rs 0.3.2 through 0.3.6 and fixed in futures-rs 0.3.7 onwards.

Publish Date: 2020-11-02

URL: WS-2020-0189

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-11-02

Fix Resolution: 0.3.7

CVE-2023-22466 ### Vulnerable Library - tokio-0.2.21.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.

Publish Date: 2023-01-04

URL: CVE-2023-22466

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7

Release Date: 2023-01-04

Fix Resolution: tokio - 1.18.4,1.20.3,1.23.1

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.