Auto-merge PR#2203

2025-08-04 08:44:25 +00:00 · 2021-07-09 10:00:19 -04:00 · 2021-07-09 10:00:19 -04:00 · dcb66a36a9
commit dcb66a36a9
parent a0c2ecec72 03864c3edc
1 changed files with 76 additions and 6 deletions
--- a/2021/32xxx/CVE-2021-32742.json
+++ b/2021/32xxx/CVE-2021-32742.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32742",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "vapor",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "<= 4.47.1"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "vapor"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in `Data.init(base32Encoded:)`."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 7.5,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "LOW",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-502: Deserialization of Untrusted Data"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmq",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/vapor/vapor/security/advisories/GHSA-pqwh-c2f3-vxmq"
+            },
+            {
+                "name": "https://github.com/vapor/vapor/releases/tag/4.47.2",
+                "refsource": "MISC",
+                "url": "https://github.com/vapor/vapor/releases/tag/4.47.2"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-pqwh-c2f3-vxmq",
+        "discovery": "UNKNOWN"
    }
 }