Vapor up to 4.89.x vapor_urlparser_parse unmaintained third party components

Summaryinfo

A vulnerability, which was classified as problematic, was found in Vapor up to 4.89.x. Impacted is the function vapor_urlparser_parse. Such manipulation leads to use of unmaintained third party components. This vulnerability is referenced as CVE-2024-21631. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Vapor up to 4.89.x. It has been rated as problematic. Affected by this issue is the function vapor_urlparser_parse. The manipulation with an unknown input leads to a use of unmaintained third party components vulnerability. Using CWE to declare the problem leads to CWE-1104. The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer. Impacted is integrity. CVE summarizes:

Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI type is used in several places in Vapor. A developer may decide to use URI to represent a URL in their application (especially if that URL is then passed to the HTTP Client) and rely on its public properties and methods. However, URI may fail to properly parse a valid (albeit abnormally long) URL, due to string ranges being converted to 16-bit integers. An attacker may use this behavior to trick the application into accepting a URL to an untrusted destination. By padding the port number with zeros, an attacker can cause an integer overflow to occur when the URL authority is parsed and, as a result, spoof the host. Version 4.90.0 contains a patch for this issue. As a workaround, validate user input before parsing as a URI or, if possible, use Foundation's `URL` and `URLComponents` utilities.

The weakness was published 01/03/2024 as GHSA-r6r4-5pr8-gjcp. The advisory is available at github.com. This vulnerability is handled as CVE-2024-21631 since 12/29/2023. Technical details are known, but there is no available exploit.

Upgrading to version 4.90.0 eliminates this vulnerability. Applying the patch 6db3d917b5ce5024a84eb265ef65691383305d70 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Vapor

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10
• 4.11
• 4.12
• 4.13
• 4.14
• 4.15
• 4.16
• 4.17
• 4.18
• 4.19
• 4.20
• 4.21
• 4.22
• 4.23
• 4.24
• 4.25
• 4.26
• 4.27
• 4.28
• 4.29
• 4.30
• 4.31
• 4.32
• 4.33
• 4.34
• 4.35
• 4.36
• 4.37
• 4.38
• 4.39
• 4.40
• 4.41
• 4.42
• 4.43
• 4.44
• 4.45
• 4.46
• 4.47
• 4.48
• 4.49
• 4.50
• 4.51
• 4.52
• 4.53
• 4.54
• 4.55
• 4.56
• 4.57
• 4.58
• 4.59
• 4.60
• 4.61
• 4.62
• 4.63
• 4.64
• 4.65
• 4.66
• 4.67
• 4.68
• 4.69
• 4.70
• 4.71
• 4.72
• 4.73
• 4.74
• 4.75
• 4.76
• 4.77
• 4.78
• 4.79
• 4.80
• 4.81
• 4.82
• 4.83
• 4.84
• 4.85
• 4.86
• 4.87
• 4.88
• 4.89

License

• open-source

Website

• Product: https://github.com/vapor/vapor/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion