You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /cargo-audit/Cargo.toml,/Cargo.toml
Dependency Hierarchy:
rustsec-0.23.3.crate (Root Library)
cargo-edit-0.7.0.crate
reqwest-0.10.10.crate
js-sys-0.3.50.crate
wasm-bindgen-0.2.73.crate
wasm-bindgen-macro-0.2.73.crate
wasm-bindgen-macro-support-0.2.73.crate
wasm-bindgen-backend-0.2.73.crate
❌ bumpalo-3.6.1.crate (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Path to vulnerable library: /cargo-audit/Cargo.toml
Dependency Hierarchy:
rustsec-0.23.3.crate (Root Library)
cargo-edit-0.7.0.crate
❌ regex-1.4.6.crate (Vulnerable Library)
Found in base branch: main
Vulnerability Details
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
Path to vulnerable library: /Cargo.toml,/cargo-audit/Cargo.toml
Dependency Hierarchy:
rustsec-0.23.3.crate (Root Library)
cargo-edit-0.7.0.crate
git2-0.13.18.crate
libgit2-sys-0.12.19+1.1.0.crate
libssh2-sys-0.2.21.crate
❌ libz-sys-1.1.2.crate (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.
Vulnerable Library - rustsec-0.23.3.crate
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0006
Vulnerable Library - bumpalo-3.6.1.crate
A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.6.1/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml,/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Publish Date: 2023-01-14
URL: WS-2023-0006
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Release Date: 2023-01-14
Fix Resolution: bumpalo - 3.11.1
WS-2023-0195
Vulnerable Library - openssl-0.10.33.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
X509VerifyParamRef::set_host
buffer over-readPublish Date: 2023-06-22
URL: WS-2023-0195
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xcf7-rvmh-g6q4
Release Date: 2023-06-22
Fix Resolution: openssl - 0.10.55
CVE-2022-24713
Vulnerable Library - regex-1.4.6.crate
An implementation of regular expressions for Rust. This implementation uses finite automata and guarantees linear time matching on all inputs.
Library home page: https://crates.io/api/v1/crates/regex/1.4.6/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
Publish Date: 2022-03-08
URL: CVE-2022-24713
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-m5pq-gvj9-9vr8
Release Date: 2022-03-08
Fix Resolution: regex - 1.5.5
WS-2023-0082
Vulnerable Library - openssl-0.10.33.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
X509NameBuilder::build
returned object is not thread safePublish Date: 2023-03-25
URL: WS-2023-0082
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3gxf-9r58-2ghg
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
WS-2023-0081
Vulnerable Library - openssl-0.10.33.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
X509Extension::new
andX509Extension::new_nid
null pointer dereferencePublish Date: 2023-03-25
URL: WS-2023-0081
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6hcf-g6gr-hhcr
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
WS-2023-0083
Vulnerable Library - openssl-0.10.33.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.33/download
Path to dependency file: /cargo-audit/Cargo.toml
Path to vulnerable library: /cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
SubjectAlternativeName
andExtendedKeyUsage::other
allow arbitrary file readPublish Date: 2023-03-25
URL: WS-2023-0083
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9qwg-crg9-m2vc
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
WS-2020-0368
Vulnerable Library - libz-sys-1.1.2.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.2/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml,/cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.
Publish Date: 2020-02-22
URL: WS-2020-0368
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0368
Release Date: 2020-02-22
Fix Resolution: cmake-native - 3.15.5;binutils-cross-testsuite - 2.35;libstd-rs - 1.57.0;gdb - 11.1,9.2;tcl - 8.6.11;sudo - 1.8.32;binutils - 2.35,2.28;ccache - 3.3.3,4.1;libgit2 - 1.3.0;cmake - 3.19.5,3.7.0,3.7.2,3.22.0,3.17.3;cmake-native - 3.17.3,3.7.0,3.22.0,3.18.4;ghostscript - 9.55.0
CVE-2023-22742
Vulnerable Library - libgit2-sys-0.12.19+1.1.0.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.12.19+1.1.0/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml,/cargo-audit/Cargo.toml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the
certificate_check
field of libgit2'sgit_remote_callbacks
structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.Publish Date: 2023-01-20
URL: CVE-2023-22742
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-m4ch-rfv5-x5g3
Release Date: 2023-01-20
Fix Resolution: git2 - 0.16.1, libgit2-sys - 0.13.5+1.4.5,0.14.2+1.5.1
The text was updated successfully, but these errors were encountered: