CVE-2021-38512HTTP Request Smuggling in Actix-http

CWE-444HTTP Request SmugglingCWE-20Improper Input Validation5 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 37.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Actix Actix-httpFedoraproject Fedora
Timeline
PublishedAug 10
Latest updateAug 25

Description

An issue was discovered in the actix-http crate before 3.0.0-beta.9 for Rust. HTTP/1 request smuggling (aka HRS) can occur, potentially leading to credential disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDactix/actix-http< 3.0.0+1
crates.ioactix/actix-http0.0.0-02.2.1+2

Also affects: Fedora 34

🔴Vulnerability Details

3
GHSA
HTTP Request Smuggling in actix-http2021-08-25
OSV
HTTP Request Smuggling in actix-http2021-08-25
OSV
Potential request smuggling capabilities due to lack of input validation2021-06-16

📋Vendor Advisories

1
Red Hat
rust-actix-http: potential request smuggling capabilities due to lack of input validation2021-06-16
CVE-2021-38512 — HTTP Request Smuggling in Actix-http | cvebase