CVE-2023-44386 - OpenCVE

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Vapor	Vapor

Configuration 1 [-]

cpe:2.3:a:vapor:vapor:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3	Patch
https://github.com/vapor/vapor/releases/tag/4.84.2	Release Notes
https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-05T17:41:38.379Z

Updated: 2023-10-05T17:41:38.379Z

Reserved: 2023-09-28T17:56:32.613Z

Link: CVE-2023-44386

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-05T18:15:12.667

Modified: 2023-10-11T17:47:30.137

Link: CVE-2023-44386

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-44386", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-28T17:56:32.613Z", "datePublished": "2023-10-05T17:41:38.379Z", "dateUpdated": "2023-10-05T17:41:38.379Z"}, "containers": {"cna": {"title": "Incorrect request error handling triggers server crash in Vapor", "problemTypes": [{"descriptions": [{"cweId": "CWE-231", "lang": "en", "description": "CWE-231: Improper Handling of Extra Values", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-696", "lang": "en", "description": "CWE-696: Incorrect Behavior Order", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm"}, {"name": "https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3", "tags": ["x_refsource_MISC"], "url": "https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3"}, {"name": "https://github.com/vapor/vapor/releases/tag/4.84.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/vapor/vapor/releases/tag/4.84.2"}], "affected": [{"vendor": "vapor", "product": "vapor", "versions": [{"version": ">= 4.83.2, < 4.84.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-05T17:41:38.379Z"}, "descriptions": [{"lang": "en", "value": "Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2."}], "source": {"advisory": "GHSA-3mwq-h3g6-ffhm", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vapor:vapor:*:*:*:*:*:*:*:*", "matchCriteriaId": "E52303C2-AF9E-4F61-86C3-EDD76AD0BB43", "versionEndExcluding": "4.84.2", "versionStartIncluding": "4.83.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2."}, {"lang": "es", "value": "Vapor es un framework web HTTP para Swift. Existe una vulnerabilidad de denegaci\u00f3n de servicio que afecta a todos los usuarios de las versiones afectadas de Vapor. El controlador de errores HTTP1 cerraba las conexiones cuando se produc\u00edan errores de an\u00e1lisis HTTP en lugar de transmitirlos. El problema se solucion\u00f3 a partir de la versi\u00f3n 4.84.2 de Vapor."}], "id": "CVE-2023-44386", "lastModified": "2023-10-11T17:47:30.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-05T18:15:12.667", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vapor/vapor/commit/090464a654b03148b139a81f8f5ac63b0856f6f3"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vapor/vapor/releases/tag/4.84.2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/vapor/vapor/security/advisories/GHSA-3mwq-h3g6-ffhm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-231"}, {"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-696"}], "source": "security-advisories@github.com", "type": "Primary"}]}