odoh-rs's Invalid Slice Split Results in Server Panic

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients. Impact An attacker with knowledge of this vulnerability could craft and...

GHSA-J3XP-WFR4-HX87 Cargo not respecting umask when extracting crate archives

The Rust Security Response WG was notified that Cargo did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed b...

Cargo not respecting umask when extracting crate archives

The Rust Security Response WG was notified that Cargo did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed b...

CVE-2023-3766

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker with knowledge of this vulnerability to craft and...

Code injection

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker with knowledge of this vulnerability to craft and...

USN-6275-1: Cargo vulnerability

Addison Crump discovered that Cargo incorrectly set file permissions on UNIX-like systems when extracting crate archives. If the crate would contain files writable by any user, a local attacker could possibly use this issue to execute code as another user...

CVE-2023-3766

The CVE-2023-3766 issue affects the odoh-rs Rust crate, caused by faulty logic in parsing encrypted queries. When processing data from remote clients, an attacker can craft specially designed encrypted queries that trigger a server panic/crash, temporarily disrupting ODOH service availability. Pa...

doh-proxy (=0.4.0), libdoh (>=0.4.0 <=0.9.4) +1 more potentially affected by CVE-2023-3766 via odoh-rs (>=0.1.11 <=1.0.0)

odoh-rs CARGO version =0.1.11, =0.4.0, =0.1.0, =0.1.9 Source cves: CVE-2023-3766 Source advisory: OSV:RUSTSEC-2023-0095...

CVE-2023-38497

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local...

UBUNTU-CVE-2023-38497

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local...

RUSTSEC-2023-0095 Invalid Slice Split Results in Server Panic

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients. Impact An attacker with knowledge of this vulnerability could craft and...

Invalid Slice Split Results in Server Panic

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients. Impact An attacker with knowledge of this vulnerability could craft and...

PT-2023-9267 · Rust +10 · Cargo +10

Name of the Vulnerable Software and Affected Versions: Cargo versions prior to 0.72.2 Rust versions prior to 1.71.1 Description: The issue is related to the Cargo package manager for the Rust programming language, which ignores umask when extracting archives created in UNIX-like systems. This cou...

odoh-rs security vulnerability

odoh-rs is a Cloudflare open source library that implements the RFC 9230 Oblivious DNS over HTTPS protocol in Rust. A security vulnerability exists in versions prior to odoh-rs rust crate 1.0.2, which stems from faulty logic during the parsing of encrypted queries, and which can be exploited by a...

Cargo security breach

Cargo is a Rust package manager open-sourced by The Rust Programming Language. A security vulnerability exists in versions of Cargo prior to 0.72.2, which stems from the fact that on UNIX-like systems, Cargo does not take into account the umask setting when extracting crate archives...

CVE-2021-32256

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangletype in rust-demangle.c...

New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

The P2PInfect peer-to-peer P2 worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security...

anchor-client (=0.26.0), basejmp (=0.1.0) +250 more potentially affected by unknown CVE via dlopen_derive (=0.1.4)

dlopenderive CARGO version =0.1.4 is affected by a known vulnerability. The following packages have a transitive dependency on dlopenderive and may be impacted: - anchor-client =0.26.0 - basejmp =0.1.0 - bonfida-test-utils =0.1.0 - bonfida-utils =0.2.3, =0.2.0, =1.0.4, =2.0.16, =1.4.2, =1.3.0,...

Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets

A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system. Written in the Rust programming language, the malware is distributed in the form of...

A New Cross-Platform ‘P2PInfect’ Worm Threatening Cloud Environments

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary P2PInfect, a new cross-platform worm written in Rust, targets vulnerable Redis instances in cloud environments via the CVE-2022-0543 vulnerability, potentially posing a significant threat to over 307,000...