CVE-2021-32742 – vapor

Package

Manager: swift
Name: vapor
Vulnerable Version: >=0 <4.47.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00374 pctl0.58254

Details

Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash ### Impact A bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. ### Patches This issue has been patched in 4.47.2. ### Workarounds Use an alternative to Vapor's built-in `Data.init(base32Encoded:)`. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Vapor](https://github.com/vapor/vapor) * Ask in [Discord](http://vapor.team)

Metadata

Created: 2023-06-09T19:31:54Z
Modified: 2023-06-09T19:31:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-pqwh-c2f3-vxmq/GHSA-pqwh-c2f3-vxmq.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-pqwh-c2f3-vxmq
Finding: F096
Auto approve: 1