How severe is CVE-2021-32715?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2021-32715?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2021-32715

MEDIUM Year: 2021

CVSS v3 Score

5.3

Medium

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-444

View all →

Vulnerability Description

hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a `Content-Length` header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such `Content-Length` headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with `rustc` v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the `Content-Length` header or ensure any upstream proxy handles `Content-Length` headers with a plus sign prefix.

CVE-2018-4030

MEDIUM

CVSS:5.3(Medium)

An exploitable vulnerability exists the safe browsing function of the CUJO Smart Firewall, version 7003. The bug lies in the way the safe browsing function parses HTTP requests. The "Host" header is i...

CWE-4442018

CVE-2019-17567

MEDIUM

CVSS:5.3(Medium)

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing f...

CWE-4442019

CVE-2019-18678

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. ...

CWE-4442019

CVE-2019-20372

MEDIUM

CVSS:5.3(Medium)

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is ...

CWE-4442019

CVE-2019-20866

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet header, for obtaining IP address information was mishandled.

CWE-4442019

CVE-2020-5220

MEDIUM

CVSS:5.3(Medium)

Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make ...

CWE-4442020

CVE-2021-32715

Vulnerability Description

Related Vulnerabilities

CVE-2018-4030

CVE-2019-17567

CVE-2019-18678

CVE-2019-20372

CVE-2019-20866

CVE-2020-5220