Vulnerability Details CVE-2022-39294
conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send a malicious request with an abnormally large `Content-Length`, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per request, otherwise returning status 400 ("Bad Request"). This crate is part of the implementation of Rust's [crates.io](https://crates.io/), but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, `conduit-hyper` is not recommended for production use, nor to directly serve the public Internet.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 21.6%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2022-39294
-
cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.2.0
-
cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.3.0
-
cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.4.0
-
cpe:2.3:a:conduit-hyper_project:conduit-hyper:0.4.1