प्लेटफ़ॉर्म
rust
घटक
cookie
में ठीक किया गया
0.7.6
0.6.2
0.6.2
CVE-2017-18589 is a denial-of-service (DoS) vulnerability affecting the Rust 'cookie' crate. The vulnerability arises from the crate's use of the time crate's Duration::seconds method to parse the Max-Age cookie setting, which can panic if the value exceeds a specific range. This can lead to a crash of the client or server processing the cookie, resulting in a DoS condition. Affected versions are those prior to 0.6.2; the vulnerability was resolved by adding explicit range checks and clamping the value.
An attacker could exploit this vulnerability by sending a crafted HTTP response containing a Set-Cookie header with a maliciously large Max-Age value. This value, when parsed by the affected 'cookie' crate, would trigger a panic, causing the application to crash or become unresponsive. The impact is a denial of service, potentially disrupting the availability of the application or service. The blast radius is limited to the application instance processing the malicious cookie; however, a coordinated attack could target multiple instances to amplify the impact. This vulnerability highlights the importance of validating all external inputs, including cookie values, to prevent unexpected behavior and potential crashes.
CVE-2017-18589 was published on May 6, 2017. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on KEV or EPSS. Public proof-of-concept (POC) code is available, demonstrating the vulnerability's exploitability. The relatively low complexity of the exploit and the widespread use of the 'cookie' crate mean that it remains a potential risk if not addressed.
एक्सप्लॉइट स्थिति
EPSS
0.33% (56% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2017-18589 is to upgrade the 'cookie' crate to version 0.6.2 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the server-side to restrict the maximum value allowed for the Max-Age cookie. Specifically, ensure that the Max-Age value is within a reasonable range (e.g., less than 2^31 seconds). Web application firewalls (WAFs) configured to inspect HTTP headers could also be used to block requests with excessively large Max-Age values. After upgrading, confirm the fix by sending a request with a large Max-Age value and verifying that the application does not panic.
कोई आधिकारिक पैच उपलब्ध नहीं है। वैकल्पिक समाधान खोजें या अपडेट की निगरानी करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2017-18589 is a denial-of-service vulnerability in the Rust 'cookie' crate where parsing large 'Max-Age' cookie values can cause a panic, leading to service disruption. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using the 'cookie' crate in Rust and have a version prior to 0.6.2. Check your project's dependencies to determine if an upgrade is needed.
Upgrade the 'cookie' crate to version 0.6.2 or later. Alternatively, implement input validation to restrict the maximum Max-Age cookie value.
There is no public evidence of CVE-2017-18589 being actively exploited in the wild, but the vulnerability remains a potential risk.
Refer to the Rust 'cookie' crate's repository and related discussions for information about this vulnerability: https://github.com/rust-lang/cookie
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Cargo.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।