CVE-2023-44386

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3	Patch
https://github.com/vapor/vapor/releases/tag/4.84.2	Release Notes
https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vapor:vapor:*:*:*:*:*:*:*:*

History

11 Oct 2023, 17:47

Type	Values Removed	Values Added
First Time		Vapor Vapor vapor
References	~~(MISC) https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm -~~	(MISC) https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm - Third Party Advisory
References	~~(MISC) https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3 -~~	(MISC) https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3 - Patch
References	~~(MISC) https://github.com/vapor/vapor/releases/tag/4.84.2 -~~	(MISC) https://github.com/vapor/vapor/releases/tag/4.84.2 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:vapor:vapor::::::::

05 Oct 2023, 19:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-05 18:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-44386

Mitre link : CVE-2023-44386

CVE.ORG link : CVE-2023-44386

JSON object : View

Products Affected

vapor

vapor

CWE

CWE-231

Improper Handling of Extra Values

CWE-617

Reachable Assertion

CWE-696

Incorrect Behavior Order

{"id": "CVE-2023-44386", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-10-05T18:15:12.667", "references": [{"url": "https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vapor/vapor/releases/tag/4.84.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-231"}, {"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-696"}]}], "descriptions": [{"lang": "en", "value": "Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2."}, {"lang": "es", "value": "Vapor es un framework web HTTP para Swift. Existe una vulnerabilidad de denegaci\u00f3n de servicio que afecta a todos los usuarios de las versiones afectadas de Vapor. El controlador de errores HTTP1 cerraba las conexiones cuando se produc\u00edan errores de an\u00e1lisis HTTP en lugar de transmitirlos. El problema se solucion\u00f3 a partir de la versi\u00f3n 4.84.2 de Vapor."}], "lastModified": "2023-10-11T17:47:30.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vapor:vapor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E52303C2-AF9E-4F61-86C3-EDD76AD0BB43", "versionEndExcluding": "4.84.2", "versionStartIncluding": "4.83.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}