Lucene search
GoogleOSV:RUSTSEC-2021-0089HistoryJan 20, 2021 - 12:00 p.m.
Optional `Deserialize` implementations lacking validation
2021-01-2012:00:00
Google
osv.dev
9
deserialize
validation
non-default
serialize
structs
serde
invariants
safe code
undefined behavior
panics
rust-cpuid
software
EPSS
0.002
Percentile
65.2%
When activating the non-default feature serialize, most structs implement
serde::Deserialize without sufficient validation. This allows breaking
invariants in safe code, leading to:
- Undefined behavior in
as_string()methods (which use
std::str::from_utf8_unchecked()internally). - Panics due to failed assertions.
Related
cve
cve
CVE-2021-45687
2021-12-27 00:15:09
nvd
nvd
CVE-2021-45687
2021-12-27 00:15:09
rustsec
rustsec
Optional `Deserialize` implementations lacking validation
2021-01-20 12:00:00
osv
osv
Optional `Deserialize` implementations lacking validation
2022-06-17 00:16:24
Deserialization of Untrusted Data in rust-cpuid
2022-01-06 22:13:12
prion
prion
Memory corruption
2021-12-27 00:15:00
cvelist
cvelist
CVE-2021-45687
2021-12-26 21:51:59
cnvd
cnvd
Rust raw-cpuid crate has an unspecified vulnerability
2021-12-28 00:00:00
github
github
Deserialization of Untrusted Data in rust-cpuid
2022-01-06 22:13:12