WS-2022-0132 (High) detected in hyper-0.13.2.crate, hyper-0.13.6.crate #59
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WS-2022-0132 - High Severity Vulnerability
hyper-0.13.2.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.2/download
Path to dependency file: /third_party/rust_crates/vendor/hyper-rustls/Cargo.toml
Path to vulnerable library: /third_party/rust_crates/vendor/hyper-rustls/Cargo.toml
Dependency Hierarchy:
hyper-0.13.6.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.6/download
Path to dependency file: /third_party/rust_crates/Cargo.toml
Path to vulnerable library: /third_party/rust_crates/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 4ec0c406a28f193fe6e7376ee7696cca0532d4ba
Found in base branch: master
The parser in Hyper before 0.14.12 creates invalid uninitialized value. Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null
Publish Date: 2024-11-03
URL: WS-2022-0132
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
Release Date: 2022-05-10
Fix Resolution: hyper - 0.14.12
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: