You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to vulnerable library: /home/wss-scanner/.cargo/registry/cache/github.com-1ecc6299db9ec823/smallvec-0.6.14.crate
Dependency Hierarchy:
cargo-audit-0.15.0.crate (Root Library)
abscissa_core-0.5.2.crate
tracing-subscriber-0.1.6.crate
❌ smallvec-0.6.14.crate (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
Mend Note: Converted from WS-2021-0002, on 2021-02-01.
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap CVE-2019-25010.
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
An issue was discovered in the failure crate through 2019-11-13 for Rust. Type confusion can occur when private_get_type_id is overridden.
Mend Note: Converted from WS-2019-0506, on 2021-01-19.
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
A soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a Transfer-Encoding header or ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers.
The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.
All versions of owning_ref in Rust have multiple soundness issues that may result in a use-after free. The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.
An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.
Mend Note: Converted from WS-2021-0424, on 2022-11-07.
The parser in Hyper before 0.14.12 creates invalid uninitialized value. Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
Path to vulnerable library: /home/wss-scanner/.cargo/registry/cache/github.com-1ecc6299db9ec823/smallvec-0.6.14.crate
Dependency Hierarchy:
cargo-audit-0.15.0.crate (Root Library)
abscissa_core-0.5.2.crate
tracing-subscriber-0.1.6.crate
❌ smallvec-0.6.14.crate (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.
Mend Note: Converted from WS-2018-0636, on 2022-11-07.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - smallvec-0.6.14.crate
'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /home/wss-scanner/.cargo/registry/cache/github.com-1ecc6299db9ec823/smallvec-0.6.14.crate
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
Mend Note: Converted from WS-2021-0002, on 2021-02-01.
Publish Date: 2021-01-26
URL: CVE-2021-25900
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-43w2-9j62-hq99
Release Date: 2021-01-26
Fix Resolution: 0.6.14;1.6.1
Vulnerable Library - failure-0.1.8.crate
Experimental error handling abstraction.
Library home page: https://crates.io/api/v1/crates/failure/0.1.8/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap CVE-2019-25010.
Publish Date: 2020-09-14
URL: CVE-2020-25575
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - openssl-src-111.15.0+1.1.1k.crate
Source of OpenSSL and logic to build it.
Library home page: https://crates.io/api/v1/crates/openssl-src/111.15.0+1.1.1k/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
Publish Date: 2022-07-01
URL: CVE-2022-2274
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2274
Release Date: 2022-07-01
Fix Resolution: openssl-src - 300.0.9+3.0.5
Vulnerable Library - failure-0.1.8.crate
Experimental error handling abstraction.
Library home page: https://crates.io/api/v1/crates/failure/0.1.8/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in the failure crate through 2019-11-13 for Rust. Type confusion can occur when private_get_type_id is overridden.
Mend Note: Converted from WS-2019-0506, on 2021-01-19.
Publish Date: 2020-12-31
URL: CVE-2019-25010
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - bumpalo-3.7.0.crate
A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.7.0/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Publish Date: 2023-01-14
URL: WS-2023-0006
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Release Date: 2023-01-14
Fix Resolution: bumpalo - 3.11.1
Vulnerable Library - tokio-0.2.25.crate
An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/0.2.25/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.
Publish Date: 2023-02-02
URL: WS-2023-0027
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2023-0005.html
Release Date: 2023-02-02
Fix Resolution: tokio - 1.18.5,1.20.4,1.24.2
Vulnerable Library - atty-0.2.14.crate
A simple interface for querying atty
Library home page: https://crates.io/api/v1/crates/atty/0.2.14/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
atty potential unaligned read
Publish Date: 2023-06-30
URL: WS-2023-0223
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - openssl-src-111.15.0+1.1.1k.crate
Source of OpenSSL and logic to build it.
Library home page: https://crates.io/api/v1/crates/openssl-src/111.15.0+1.1.1k/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
Publish Date: 2021-08-24
URL: CVE-2021-3711
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openssl.org/news/secadv/20210824.txt
Release Date: 2021-08-24
Fix Resolution: OpenSSL_1_1_1l
Vulnerable Library - hyper-0.13.10.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.10/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a
Transfer-Encodingheader or ensure any upstream proxy rejectsTransfer-Encodingchunk sizes greater than what fits in 64-bit unsigned integers.Publish Date: 2021-07-07
URL: CVE-2021-32714
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32714
Release Date: 2021-07-07
Fix Resolution: hyper - 0.14.10
Vulnerable Library - remove_dir_all-0.5.3.crate
A safe, reliable implementation of remove_dir_all for Windows
Library home page: https://crates.io/api/v1/crates/remove_dir_all/0.5.3/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.
Publish Date: 2023-02-24
URL: WS-2023-0045
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mc8h-8q98-g5hr
Release Date: 2023-02-24
Fix Resolution: remove_dir_all - 0.8.0
Vulnerable Library - openssl-0.10.35.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.35/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
opensslX509VerifyParamRef::set_hostbuffer over-readPublish Date: 2023-06-22
URL: WS-2023-0195
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xcf7-rvmh-g6q4
Release Date: 2023-06-22
Fix Resolution: openssl - 0.10.55
Vulnerable Library - owning_ref-0.4.1.crate
A library for creating references that carry their owner with them.
Library home page: https://crates.io/api/v1/crates/owning_ref/0.4.1/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
All versions of owning_ref in Rust have multiple soundness issues that may result in a use-after free. The crate violates Rust's aliasing rules, which may cause miscompilations on recent compilers that emit the LLVM noalias attribute.
Publish Date: 2022-01-26
URL: WS-2022-0242
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Vulnerable Library - tokio-0.2.25.crate
An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/0.2.25/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.
Mend Note: Converted from WS-2021-0424, on 2022-11-07.
Publish Date: 2021-12-27
URL: CVE-2021-45710
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2021-0124.html
Release Date: 2021-12-27
Fix Resolution: tokio - 1.8.4,1.13.1
Vulnerable Library - hyper-0.13.10.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.10/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The parser in Hyper before 0.14.12 creates invalid uninitialized value. Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null
Publish Date: 2022-05-10
URL: WS-2022-0132
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
Release Date: 2022-05-10
Fix Resolution: hyper - 0.14.12
Vulnerable Library - openssl-0.10.35.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.35/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
opensslX509NameBuilder::buildreturned object is not thread safePublish Date: 2023-03-25
URL: WS-2023-0082
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3gxf-9r58-2ghg
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Vulnerable Library - openssl-0.10.35.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.35/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
opensslX509Extension::newandX509Extension::new_nidnull pointer dereferencePublish Date: 2023-03-25
URL: WS-2023-0081
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6hcf-g6gr-hhcr
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Vulnerable Library - openssl-src-111.15.0+1.1.1k.crate
Source of OpenSSL and logic to build it.
Library home page: https://crates.io/api/v1/crates/openssl-src/111.15.0+1.1.1k/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
Publish Date: 2022-03-15
URL: CVE-2022-0778
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jf66-3q76-h5p5
Release Date: 2022-03-15
Fix Resolution: OpenSSL_1_1_1n, openssl-3.0.2
Vulnerable Library - smallvec-0.6.14.crate
'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /home/wss-scanner/.cargo/registry/cache/github.com-1ecc6299db9ec823/smallvec-0.6.14.crate
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.
Mend Note: Converted from WS-2018-0636, on 2022-11-07.
Publish Date: 2021-12-27
URL: CVE-2018-25023
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2018-0018.html
Release Date: 2021-12-27
Fix Resolution: smallvec - 0.6.13
Vulnerable Library - openssl-0.10.35.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.35/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
opensslSubjectAlternativeNameandExtendedKeyUsage::otherallow arbitrary file readPublish Date: 2023-03-25
URL: WS-2023-0083
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9qwg-crg9-m2vc
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Vulnerable Library - openssl-src-111.15.0+1.1.1k.crate
Source of OpenSSL and logic to build it.
Library home page: https://crates.io/api/v1/crates/openssl-src/111.15.0+1.1.1k/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
Publish Date: 2023-02-08
URL: CVE-2022-4450
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openssl.org/news/vulnerabilities.html
Release Date: 2023-02-08
Fix Resolution: OpenSSL_1_1_1t,openssl-3.0.8
Vulnerable Library - regex-1.5.4.crate
An implementation of regular expressions for Rust. This implementation uses finite automata and guarantees linear time matching on all inputs.
Library home page: https://crates.io/api/v1/crates/regex/1.5.4/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
Publish Date: 2022-03-08
URL: CVE-2022-24713
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-m5pq-gvj9-9vr8
Release Date: 2022-03-08
Fix Resolution: regex - 1.5.5
Vulnerable Library - openssl-src-111.15.0+1.1.1k.crate
Source of OpenSSL and logic to build it.
Library home page: https://crates.io/api/v1/crates/openssl-src/111.15.0+1.1.1k/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
Publish Date: 2022-05-03
URL: CVE-2022-1473
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0025.html
Release Date: 2022-05-03
Fix Resolution: openssl-src - 300.0.6+3.0.3
Vulnerable Library - hyper-0.13.10.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.10/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
Publish Date: 2023-02-21
URL: CVE-2022-31394
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-02-21
Fix Resolution: hyper - v0.14.19
Vulnerable Libraries - hyper-0.13.10.crate, h2-0.2.7.crate
hyper-0.13.10.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.10/download
Dependency Hierarchy:
h2-0.2.7.crate
An HTTP/2.0 client and server
Library home page: https://crates.io/api/v1/crates/h2/0.2.7/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Publish Date: 2023-04-11
URL: CVE-2023-26964
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f8vr-r385-rh5r
Release Date: 2023-04-11
Fix Resolution: h2 - 0.3.17
The text was updated successfully, but these errors were encountered: