5.3

CVE-2023-44386

Incorrect request error handling triggers server crash in Vapor

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VaporVapor Version >= 4.83.2 < 4.84.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.6% 0.439
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-231 Improper Handling of Extra Values

The product does not handle or incorrectly handles when more values are provided than expected.

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

CWE-696 Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3
Patch
https://github.com/vapor/vapor/releases/tag/4.84.2
Release Notes
https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm
Third Party Advisory