CVE-2021-32742Deserialization of Untrusted Data in Project Vapor

CWE-502Deserialization of Untrusted Data4 documents3 sources
Severity
9.1CRITICALNVD
OSV6.5
EPSS
0.4%
top 40.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Vapor Project VaporGithub.com Vapor VaporSamba+1 more
Timeline
PublishedJul 9
Latest updateJun 9

Description

Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

NVDvapor_project/vapor< 4.47.2
SwiftURLgithub.com/vapor_vapor< 4.47.2
CVEListV5vapor/vapor4.47.1
Ubuntusamba/samba< 2:4.13.17~dfsg-0ubuntu1.20.04.1+1

🔴Vulnerability Details

3
OSV
Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash2023-06-09
GHSA
Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash2023-06-09
OSV
samba vulnerabilities2022-08-01