CVE-2023-44386 — Improper Handling of Extra Values in Vapor

CWE-231 — Improper Handling of Extra Values CWE-617 — Reachable Assertion CWE-696 — Incorrect Behavior Order3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 83.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vapor Github.com Vapor Vapor

Timeline

PublishedOct 5

Description

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDvapor/vapor4.83.2 — 4.84.2

▶SwiftURLgithub.com/vapor_vapor4.83.2 — 4.84.2

▶CVEListV5vapor/vapor>= 4.83.2, < 4.84.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Vapor's incorrect request error handling triggers server crash↗2023-10-05

▶

GHSA

Vapor's incorrect request error handling triggers server crash↗2023-10-05

▶