CVE-2020-35863 — HTTP Request Smuggling in Hyper

CWE-444 — HTTP Request Smuggling6 documents4 sources

Severity

9.8CRITICALNVD

EPSS

2.0%

top 16.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hyper Debian Rust-hyper

Timeline

PublishedDec 31

Latest updateAug 25

Description

An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/rust-hyper< rust-hyper 0.12.35-1 (bookworm)

▶NVDhyper/hyper< 0.12.34

▶crates.iohyper/hyper0.11.0 — 0.12.34

Patches

Patch: rustsec.org ↗Patch: rustsec.org ↗

🔴Vulnerability Details

OSV

HTTP Request Smuggling in hyper↗2021-08-25

▶

GHSA

HTTP Request Smuggling in hyper↗2021-08-25

▶

OSV

CVE-2020-35863: An issue was discovered in the hyper crate before 0↗2020-12-31

▶

OSV

Flaw in hyper allows request smuggling by sending a body in GET requests↗2020-03-19

▶

📋Vendor Advisories

Debian

CVE-2020-35863: rust-hyper - An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request...↗2020

▶