CVE-2021-21299 — HTTP Request Smuggling in Hyper

CWE-444 — HTTP Request Smuggling6 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 31.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hyperium Hyper Hyper Debian Rust-hyper

Timeline

PublishedFeb 11

Latest updateAug 25

Description

hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "r…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/rust-hyper< rust-hyper 0.14.19-1 (bookworm)

▶NVDhyper/hyper0.12.0 — 0.13.10+1

▶crates.iohyper/hyper0.14.0 — 0.14.3+4

▶CVEListV5hyperium/hyper< 0.13.10+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

HTTP Request Smuggling in hyper↗2021-08-25

▶

OSV

HTTP Request Smuggling in hyper↗2021-08-25

▶

OSV

CVE-2021-21299: hyper is an open-source HTTP library for Rust (crates↗2021-02-11

▶

OSV

Multiple Transfer-Encoding headers misinterprets request payload↗2021-02-05

▶

📋Vendor Advisories

Debian

CVE-2021-21299: rust-hyper - hyper is an open-source HTTP library for Rust (crates.io). In hyper from version...↗2021

▶