CVE-2021-38512 – actix-http

Package

Manager: cargo
Name: actix-http
Vulnerable Version: >=0 <2.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00422 pctl0.61262

Details

HTTP Request Smuggling in actix-http Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable. Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.

Metadata

Created: 2021-08-25T20:58:21Z
Modified: 2021-08-18T20:13:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-8928-2fgm-6x9x/GHSA-8928-2fgm-6x9x.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-8928-2fgm-6x9x
Finding: F110
Auto approve: 1