CVE-2024-21631Improper Input Validation in Vapor

CWE-20Improper Input ValidationCWE-190Integer Overflow or WraparoundCWE-1104Use of Unmaintained Third Party Components3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 46.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
VaporGithub.com Vapor Vapor
Timeline
PublishedJan 3

Description

Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI type is used in several places in Vapor. A developer may decide to use URI to represent a URL in their application (especially if t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDvapor/vapor< 4.90.0
SwiftURLgithub.com/vapor_vapor< 4.90.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Vapor contains an integer overflow in URI leading to potential host spoofing2024-01-03
GHSA
Vapor contains an integer overflow in URI leading to potential host spoofing2024-01-03