Miggo Logo

CVE-2021-43669: HTTP Request Smuggling in github.com/hyperledger/fabric

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.63576%
Published
12/3/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hyperledger/fabricgo< 2.4.02.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub PR #2828 explicitly mentions removing a panic in the ifConfig function to address FAB-18528. The vulnerability description states attackers could crash orderers by sending messages with invalid headers, which aligns with unhandled panics causing process termination. The commit message confirms this was the entry point for malicious payloads via the ordering service's RPC interface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n **t**t** in *yp*rL****r ***ri* v*.*.*, v*.*.*, v*.*.*, v*.*.*. It **n **sily *r**k *own *s m*ny or**r*rs *s t** *tt**k*r w*nts. T*is *u* **n ** l*v*r**** *y *onstru*tin* * m*ss*** w*os* *****r is inv*li* to t** int*r**** Or**

Reasoning

T** *it*u* PR #**** *xpli*itly m*ntions r*movin* * p*ni* in t** `i**on*i*` *un*tion to ***r*ss ***-*****. T** vuln*r**ility **s*ription st*t*s *tt**k*rs *oul* *r*s* or**r*rs *y s*n*in* m*ss***s wit* inv*li* *****rs, w*i** *li*ns wit* un**n*l** p*ni*s