RUSTSEC-2023-0018: sqlx-cli depends on vulnerable remove_dir_all version 0.7.0
#2755
Labels
Comments
|
It seems like this dependency isn't even used anymore and so could simply be removed. |
|
If that's the case, I could take a stab at it :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Description
RUSTSEC-2023-0018:
sqlx-clidepends on vulnerableremove_dir_allversion 0.7.0 (reference https://rustsec.org/advisories/RUSTSEC-2023-0018).Minimal Reproduction
cargo audit Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 570 security advisories (from /Users/aldur/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (293 crate dependencies) Crate: remove_dir_all Version: 0.7.0 Title: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Date: 2023-02-24 ID: RUSTSEC-2023-0018 URL: https://rustsec.org/advisories/RUSTSEC-2023-0018 Solution: Upgrade to >=0.8.0 Dependency tree: remove_dir_all 0.7.0 └── sqlx-cli 0.7.1 └── zap-it-later 0.1.0 error: 1 vulnerability found!Info
{ version = "0.7.1", features = ["runtime-tokio", "sqlite", "chrono"] }3.39.5 2022-10-14 20:58:05 554764a6e721fab307c63a4f98cd958c8428a5d9d8edfde951858d6fd02daaplmacOS 13.5.2rustc --version:rustc 1.72.0 (5680fa18f 2023-08-23The text was updated successfully, but these errors were encountered: