Miggo Logo

GHSA-f67m-9j94-qv9j: Parser creates invalid uninitialized value

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
CWE
-
Published
6/16/2022
Updated
1/12/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
hyperrust< 0.14.120.14.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using mem::uninitialized() with httparse::Header in HTTP1 parsing logic. The pull request #2545 specifically shows changes in role.rs where Server::parse and Client::parse methods were modified to replace mem::uninitialized() with MaybeUninit. These functions handle header parsing and were directly mentioned in commit messages ('Server::parse - use MaybeUninit' and 'Client::parse - use MaybeUninit'). The HTTP1 parser is explicitly called out in the advisory as the affected component, and httparse::Header's reference-containing nature makes uninitialized memory particularly dangerous here.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* **ll** `m*m::uniniti*liz**()` in t** *TTP* p*rs*r to *r**t* v*lu*s o* typ* `*ttp*rs*::*****r` (*rom t** `*ttp*rs*` *r*t*). T*is is unsoun*, sin** `*****r` *ont*ins r***r*n**s *n* t*us must ** non-null. T** *l*w w*s *

Reasoning

T** vuln*r**ility st*ms *rom usin* m*m::uniniti*liz**() wit* *ttp*rs*::*****r in *TTP* p*rsin* lo*i*. T** pull r*qu*st #**** sp**i*i**lly s*ows ***n**s in rol*.rs w**r* S*rv*r::p*rs* *n* *li*nt::p*rs* m*t*o*s w*r* mo*i*i** to r*pl*** m*m::uniniti*liz