How severe is CVE-2021-32714?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2021-32714?

This is classified as CWE-190, which is a common weakness in software security.

CVE-2021-32714 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a `Transfer-Encoding` header or ensure any upstream proxy rejects `Transfer-Encoding` chunk sizes greater than what fits in 64-bit unsigned integers.

Related Vulnerabilities

CVE-2015-2310

CRITICAL

CVSS:9.1(Critical)

Integer overflow in layout.c++ in Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.1 allows remote peers to cause a denial of service or possibly obtain sensitive information from memory vi...

CWE-1902015

CVE-2017-2782

CRITICAL

CVSS:9.1(Critical)

An integer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a length counter to overflow, le...

CWE-1902017

CVE-2019-16127

CRITICAL

CVSS:9.1(Critical)

Atmel Advanced Software Framework (ASF) 4 has an Integer Overflow.

CWE-1902019

CVE-2020-36242

CRITICAL

CVSS:9.1(Critical)

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated...

CWE-1902020

CVE-2021-3402

CRITICAL

CVSS:9.1(Critical)

An integer overflow and several buffer overflow reads in libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could allow an attacker to either cause denial of service or information disclosure vi...

CWE-1902021

CVE-2021-35942

CRITICAL

CVSS:9.1(Critical)

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially re...

CWE-1902021