CVE-2020-26281

{"id": "CVE-2020-26281", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.2}]}, "published": "2020-12-21T22:15:13.407", "references": [{"url": "https://github.com/http-rs/async-h1/releases/tag/v2.3.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/http-rs/async-h1/security/advisories/GHSA-4vr9-8cjf-vf9c", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/http-rs/async-h1/releases/tag/v2.3.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/http-rs/async-h1/security/advisories/GHSA-4vr9-8cjf-vf9c", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body. One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request. Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients' requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user's request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary. This has been addressed in async-h1 2.3.0 and previous versions have been yanked."}, {"lang": "es", "value": "async-h1 es un analizador HTTP/1.1 asincr\u00f3nico para Rust (crates.io). Se presenta una vulnerabilidad de tr\u00e1fico no autorizado de peticiones en async-h1 anterior a la versi\u00f3n 2.3.0. Esta vulnerabilidad afecta a cualquier servidor web que use async-h1 detr\u00e1s de un proxy inverso, incluyendo todas estas aplicaciones de Tide. Si el servidor no lee el cuerpo de una petici\u00f3n que es m\u00e1s larga que una longitud de b\u00fafer, async-h1 intentar\u00e1 leer una petici\u00f3n posterior del contenido del cuerpo comenzando en ese desplazamiento en el cuerpo. Una forma de explotar esta vulnerabilidad ser\u00eda que un adversario dise\u00f1e una petici\u00f3n de modo que el cuerpo contenga una petici\u00f3n que no ser\u00eda detectada por un proxy inverso, lo que le permitir\u00e1 falsificar encabezados forwarded/x-forwarded. Si una aplicaci\u00f3n confiaba en la autenticidad de estos encabezados, podr\u00eda ser enga\u00f1ada por la petici\u00f3n de tr\u00e1fico no autorizado. Otra posible preocupaci\u00f3n con esta vulnerabilidad es que si un proxy inverso env\u00eda m\u00faltiples peticiones de clientes http a lo largo de la misma conexi\u00f3n keep-alive, ser\u00eda posible que la petici\u00f3n de tr\u00e1fico no autorizado especifique un contenido largo y capture la petici\u00f3n de otro usuario en su cuerpo. Este contenido podr\u00eda ser capturado en una petici\u00f3n post hacia un endpoint que permita que el contenido posteriormente sea recuperado por el adversario. Esto se ha abordado en async-h1 2.3.0 y se han eliminado las versiones anteriores"}], "lastModified": "2024-11-21T05:19:44.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rust-lang:async-h1:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "5501F420-6220-43B9-9931-64C3439391E3", "versionEndExcluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}