Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rustsec-0.23.3.crate: 8 vulnerabilities (highest severity is: 9.8) #327

Open
mend-for-github.aaakk.us.kg bot opened this issue Nov 20, 2023 · 0 comments

Comments

@mend-for-github.aaakk.us.kg
Copy link

Vulnerable Library - rustsec-0.23.3.crate

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (rustsec version) Remediation Possible**
WS-2023-0006 Critical 9.8 bumpalo-3.6.1.crate Transitive N/A*
WS-2023-0195 Critical 9.1 openssl-0.10.33.crate Transitive N/A*
CVE-2022-24713 High 7.5 regex-1.4.6.crate Transitive N/A*
WS-2023-0082 High 7.5 openssl-0.10.33.crate Transitive N/A*
WS-2023-0081 High 7.5 openssl-0.10.33.crate Transitive N/A*
WS-2023-0083 High 7.5 openssl-0.10.33.crate Transitive N/A*
WS-2020-0368 Medium 6.5 libz-sys-1.1.2.crate Transitive N/A*
CVE-2023-22742 Medium 5.9 libgit2-sys-0.12.19+1.1.0.crate Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0006

Vulnerable Library - bumpalo-3.6.1.crate

A fast bump allocation arena for Rust.

Library home page: https://crates.io/api/v1/crates/bumpalo/3.6.1/download

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml,/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • reqwest-0.10.10.crate
        • js-sys-0.3.50.crate
          • wasm-bindgen-0.2.73.crate
            • wasm-bindgen-macro-0.2.73.crate
              • wasm-bindgen-macro-support-0.2.73.crate
                • wasm-bindgen-backend-0.2.73.crate
                  • bumpalo-3.6.1.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.

Publish Date: 2023-01-14

URL: WS-2023-0006

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html

Release Date: 2023-01-14

Fix Resolution: bumpalo - 3.11.1

WS-2023-0195

Vulnerable Library - openssl-0.10.33.crate

OpenSSL bindings

Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • reqwest-0.10.10.crate
        • tokio-tls-0.3.1.crate
          • native-tls-0.2.7.crate
            • openssl-0.10.33.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

openssl X509VerifyParamRef::set_host buffer over-read

Publish Date: 2023-06-22

URL: WS-2023-0195

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xcf7-rvmh-g6q4

Release Date: 2023-06-22

Fix Resolution: openssl - 0.10.55

CVE-2022-24713

Vulnerable Library - regex-1.4.6.crate

An implementation of regular expressions for Rust. This implementation uses finite automata and guarantees linear time matching on all inputs.

Library home page: https://crates.io/api/v1/crates/regex/1.4.6/download

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • regex-1.4.6.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.

Publish Date: 2022-03-08

URL: CVE-2022-24713

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m5pq-gvj9-9vr8

Release Date: 2022-03-08

Fix Resolution: regex - 1.5.5

WS-2023-0082

Vulnerable Library - openssl-0.10.33.crate

OpenSSL bindings

Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • reqwest-0.10.10.crate
        • tokio-tls-0.3.1.crate
          • native-tls-0.2.7.crate
            • openssl-0.10.33.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

openssl X509NameBuilder::build returned object is not thread safe

Publish Date: 2023-03-25

URL: WS-2023-0082

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3gxf-9r58-2ghg

Release Date: 2023-03-25

Fix Resolution: openssl - 0.10.48

WS-2023-0081

Vulnerable Library - openssl-0.10.33.crate

OpenSSL bindings

Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • reqwest-0.10.10.crate
        • tokio-tls-0.3.1.crate
          • native-tls-0.2.7.crate
            • openssl-0.10.33.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

openssl X509Extension::new and X509Extension::new_nid null pointer dereference

Publish Date: 2023-03-25

URL: WS-2023-0081

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6hcf-g6gr-hhcr

Release Date: 2023-03-25

Fix Resolution: openssl - 0.10.48

WS-2023-0083

Vulnerable Library - openssl-0.10.33.crate

OpenSSL bindings

Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download

Path to dependency file: /cargo-audit/Cargo.toml

Path to vulnerable library: /cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • reqwest-0.10.10.crate
        • tokio-tls-0.3.1.crate
          • native-tls-0.2.7.crate
            • openssl-0.10.33.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

openssl SubjectAlternativeName and ExtendedKeyUsage::other allow arbitrary file read

Publish Date: 2023-03-25

URL: WS-2023-0083

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9qwg-crg9-m2vc

Release Date: 2023-03-25

Fix Resolution: openssl - 0.10.48

WS-2020-0368

Vulnerable Library - libz-sys-1.1.2.crate

Low-level bindings to the system libz library (also known as zlib).

Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.2/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml,/cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • git2-0.13.18.crate
        • libgit2-sys-0.12.19+1.1.0.crate
          • libssh2-sys-0.2.21.crate
            • libz-sys-1.1.2.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.

Publish Date: 2020-02-22

URL: WS-2020-0368

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0368

Release Date: 2020-02-22

Fix Resolution: cmake-native - 3.15.5;binutils-cross-testsuite - 2.35;libstd-rs - 1.57.0;gdb - 11.1,9.2;tcl - 8.6.11;sudo - 1.8.32;binutils - 2.35,2.28;ccache - 3.3.3,4.1;libgit2 - 1.3.0;cmake - 3.19.5,3.7.0,3.7.2,3.22.0,3.17.3;cmake-native - 3.17.3,3.7.0,3.22.0,3.18.4;ghostscript - 9.55.0

CVE-2023-22742

Vulnerable Library - libgit2-sys-0.12.19+1.1.0.crate

Native bindings to the libgit2 library

Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.12.19+1.1.0/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml,/cargo-audit/Cargo.toml

Dependency Hierarchy:

  • rustsec-0.23.3.crate (Root Library)
    • cargo-edit-0.7.0.crate
      • git2-0.13.18.crate
        • libgit2-sys-0.12.19+1.1.0.crate (Vulnerable Library)

Found in base branch: main

Vulnerability Details

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

Publish Date: 2023-01-20

URL: CVE-2023-22742

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m4ch-rfv5-x5g3

Release Date: 2023-01-20

Fix Resolution: git2 - 0.16.1, libgit2-sys - 0.13.5+1.4.5,0.14.2+1.5.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants