CVE-2022-39294Uncontrolled Resource Consumption in Project Conduit-hyper

CWE-400Uncontrolled Resource ConsumptionCWE-1284Improper Validation of Specified Quantity in Input4 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 45.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Conduit-hyper Project Conduit-hyperConduit-rust Conduit-hyper
Timeline
PublishedOct 31

Description

conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send a malicious request with an abnormally large `Content-Length`, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per request, oth

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5conduit-rust/conduit-hyper>= 0.2.0-alpha.3, < 0.4.2
crates.ioconduit-hyper_project/conduit-hyper0.2.0-alpha.30.4.2

🔴Vulnerability Details

3
GHSA
conduit-hyper vulnerable to Denial of Service from unchecked request length2022-10-31
OSV
conduit-hyper vulnerable to Denial of Service from unchecked request length2022-10-31
OSV
Denial of Service from unchecked request length2022-10-30