Lucene search

GitHub Advisory DatabaseGHSA-RV9V-R4VM-GJ8X

HistoryAug 19, 2024 - 3:30 a.m.

Miniscript allows stack consumption

2024-08-1903:30:48

CWE-674

CWE-770

CWE-787

GitHub Advisory Database

github.com

miniscript

vulnerability

rust

library

stack consumption

tree depth tracking

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

19.6%

JSON

The Miniscript (aka rust-miniscript) library for Rust allows stack consumption because it does not properly track tree depth.

Affected configurations

Vulners

Node

miniscriptRange<9.2.0

miniscriptRange10.0.0–10.2.0

miniscriptRange11.0.0–11.2.0

miniscriptRange12.0.0–12.2.0

VendorProductVersionCPE
*miniscript*cpe:2.3:a:*:miniscript:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	miniscript	*	cpe:2.3:a::miniscript::::::::*

References

github.com/advisories/GHSA-rv9v-r4vm-gj8x

github.com/rust-bitcoin/rust-miniscript/commit/5b0f5e3417f027a22b066debf825dbe6644b575b

github.com/rust-bitcoin/rust-miniscript/commit/8f54b5e3fb7129ed9fbed53f1cb9e6e62ea4c151

github.com/rust-bitcoin/rust-miniscript/compare/11.2.0...12.2.0

github.com/rust-bitcoin/rust-miniscript/pull/704

github.com/rust-bitcoin/rust-miniscript/pull/712

github.com/rust-bitcoin/rust-miniscript/pull/712/files

github.com/rust-bitcoin/rust-miniscript/pull/713/files

github.com/rust-bitcoin/rust-miniscript/pull/714/files

github.com/rust-bitcoin/rust-miniscript/pull/715/files

nvd.nist.gov/vuln/detail/CVE-2024-44073

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

19.6%

JSON

Related for GHSA-RV9V-R4VM-GJ8X