CVE-2024-21631
Published: 03 January 2024
Summary
CVE-2024-21631 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Vapor Vapor. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 45.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0412
Vulnerability details
Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but…
more
could impact applications relying on the URI type for validating user input. The URI type is used in several places in Vapor. A developer may decide to use URI to represent a URL in their application (especially if that URL is then passed to the HTTP Client) and rely on its public properties and methods. However, URI may fail to properly parse a valid (albeit abnormally long) URL, due to string ranges being converted to 16-bit integers. An attacker may use this behavior to trick the application into accepting a URL to an untrusted destination. By padding the port number with zeros, an attacker can cause an integer overflow to occur when the URL authority is parsed and, as a result, spoof the host. Version 4.90.0 contains a patch for this issue. As a workaround, validate user input before parsing as a URI or, if possible, use Foundation's `URL` and `URLComponents` utilities.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones.
Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components.
The maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit.
Requiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Contact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use.
Threat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them.
Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components.