CVE-2022-3212 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Axum-Core Project	Axum-Core	< 0.2.8

Related Weaknesses (CWE)

CWE-770

References

https://research.jfrog.com/vulnerabilities/axum-core-dos/ExploitThird Party Advisory
https://rustsec.org/advisories/RUSTSEC-2022-0055.htmlExploitIssue TrackingPatch
https://research.jfrog.com/vulnerabilities/axum-core-dos/ExploitThird Party Advisory
https://rustsec.org/advisories/RUSTSEC-2022-0055.htmlExploitIssue TrackingPatch

FAQ

What is CVE-2022-3212?

CVE-2022-3212 is a vulnerability with a CVSS score of 7.5 (HIGH). <bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite...

How severe is CVE-2022-3212?

CVE-2022-3212 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-3212?

Check the references section above for vendor advisories and patch information. Affected products include: Axum-Core Project Axum-Core.