{"id":"RUSTSEC-2022-0072","summary":"Location header incorporates user input, allowing open redirect","details":"When `hyper-staticfile` performs a redirect for a directory request (e.g. a\nrequest for `/dir` that redirects to `/dir/`), the `Location` header value was\nderived from user input (the request path), simply appending a slash. The\nintent was to perform an origin-relative redirect, but specific inputs\nallowed performing a scheme-relative redirect instead.\n\nAn attacker could craft a special URL that would appear to be for the correct\ndomain, but immediately redirects to a malicious domain. Such a URL can benefit\nphishing attacks, for example an innocent looking link in an email.","aliases":["GHSA-5wvv-q5fv-2388"],"modified":"2023-11-08T04:15:57.217822Z","published":"2022-12-23T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hyper-staticfile"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0072.html"},{"type":"WEB","url":"https://github.com/stephank/hyper-staticfile/commit/f12cadc6666c6f555d29725f5bc45da2103f24ea"}],"affected":[{"package":{"name":"hyper-staticfile","ecosystem":"crates.io","purl":"pkg:cargo/hyper-staticfile"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.9.4"},{"introduced":"0.10.0-0"},{"fixed":"0.10.0-alpha.5"}]}],"ecosystem_specific":{"affects":{"os":[],"arch":[],"functions":[]},"affected_functions":null},"database_specific":{"categories":["format-injection"],"informational":null,"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0072.json"}}],"schema_version":"1.7.3"}