Skip to content

Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash

Moderate severity GitHub Reviewed Published Jul 9, 2021 in vapor/vapor • Updated Jun 19, 2023

Package

swift github.com/vapor/vapor (Swift)

Affected versions

< 4.47.2

Patched versions

4.47.2

Description

Impact

A bug in the Data.init(base32Encoded:) function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies.

Patches

This issue has been patched in 4.47.2.

Workarounds

Use an alternative to Vapor's built-in Data.init(base32Encoded:).

For more information

If you have any questions or comments about this advisory:

References

@siemensikkema siemensikkema published to vapor/vapor Jul 9, 2021
Published by the National Vulnerability Database Jul 9, 2021
Published to the GitHub Advisory Database Jun 9, 2023
Reviewed Jun 9, 2023
Last updated Jun 19, 2023

Severity

Moderate

EPSS score

0.178%
(56th percentile)

Weaknesses

CVE ID

CVE-2021-32742

GHSA ID

GHSA-pqwh-c2f3-vxmq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.