CVE-2024-51502 – loona-hpack

Package

Manager: cargo
Name: loona-hpack
Vulnerable Version: >=0 <0.4.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00235 pctl0.4632

Details

loona-hpack Panic Vulnerability ### Summary `loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in https://github.com/mlalic/hpack-rs/issues/11 ### Details The original includes a very nice description of the problem, as well as an easy-enough fix for it. ### PoC The original example pretty much still applies: ```rust use loona_hpack::Decoder; pub fn main() { let input = &[0x3f]; let mut decoder = Decoder::new(); let _ = decoder.decode(input); } ``` ### Impact From the original: `All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.`

Metadata

Created: 2024-11-04T23:22:33Z
Modified: 2024-11-05T18:35:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-7vm6-qwh5-9x44/GHSA-7vm6-qwh5-9x44.json
CWE IDs: ["CWE-754", "CWE-755"]
Alternative ID: GHSA-7vm6-qwh5-9x44
Finding: F096
Auto approve: 1