CVE-2022-31019Classic Buffer Overflow in Vapor

CWE-120Classic Buffer OverflowCWE-674Uncontrolled RecursionCWE-121Stack-based Buffer Overflow3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 38.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
VaporGithub.com Vapor Vapor
Timeline
PublishedJun 9
Latest updateJun 7

Description

Vapor is a server-side Swift HTTP web framework. When using automatic content decoding an attacker can craft a request body that can make the server crash with the following request: `curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]'; done)[string][_0]=hello%20world" http://localhost:8080/foo`. The issue is unbounded, attacker controlled stack growth which will at some point lead to a stack overflow and a process crash. This issue has been fixed in ver

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDvapor/vapor< 4.61.1
SwiftURLgithub.com/vapor_vapor< 4.61.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Vapor vulnerable to denial of service in URLEncodedFormDecoder2023-06-07
OSV
Vapor vulnerable to denial of service in URLEncodedFormDecoder2023-06-07