CVE-2022-31005 – vapor

Package

Manager: swift
Name: vapor
Vulnerable Version: >=0 <4.60.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00454 pctl0.62939

Details

Vapor vulnerable to denial of service in HTTP Range Request of FileMiddleware Vapor is an HTTP web framework for Swift and [middleware](https://docs.vapor.codes/advanced/middleware/) is a logic chain between the client and a Vapor route handler. [FileMiddleware](https://docs.vapor.codes/advanced/middleware/#file-middleware) enables the serving of assets from the Public folder of a project to the client. Vapor before 4.60.3 is vulnerable to denial of service due to an integer overflow when given invalid range headers while using FileMiddleware. This is patched in 4.60.3.

Metadata

Created: 2023-06-07T16:26:25Z
Modified: 2023-06-07T16:26:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-vj2m-9f5j-mpr5/GHSA-vj2m-9f5j-mpr5.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-vj2m-9f5j-mpr5
Finding: F111
Auto approve: 1