Vulnerability Description
Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in `Data.init(base32Encoded:)`.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vapor Project | Vapor | < 4.47.2 |
Related Weaknesses (CWE)
References
- https://github.com/vapor/vapor/releases/tag/4.47.2Release NotesThird Party Advisory
- https://github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmqThird Party Advisory
- https://github.com/vapor/vapor/releases/tag/4.47.2Release NotesThird Party Advisory
- https://github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmqThird Party Advisory
FAQ
What is CVE-2021-32742?
CVE-2021-32742 is a vulnerability with a CVSS score of 7.5 (HIGH). Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial o...
How severe is CVE-2021-32742?
CVE-2021-32742 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32742?
Check the references section above for vendor advisories and patch information. Affected products include: Vapor Project Vapor.