CVE-2023-30610 AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...

CVE-2023-30610

The CVE affects aws-sigv4 in the AWS SDK for Rust: the SigningParams Debug output can expose a user’s AWS access key, secret key, and session token when TRACE-level logging is enabled, allowing credentials to appear in logs. Affected users should upgrade to fixed releases; patches are listed acro...

CVE-2023-30610 AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...

CVE-2023-30610 AWS SDK for Rust will log AWS credentials when TRACE-level logging is enabled for request sending

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...

acmer (>=0.0.1 <=0.0.16), avalanche-config-installer (>=0.2.36 <=0.2.43) +411 more potentially affected by CVE-2023-30610 via aws-sigv4 (>=0.4.2 <=0.56.1)

aws-sigv4 CARGO version =0.4.2, =0.0.1, =0.2.36, =0.0.18, =0.0.42, =0.0.9, =0.4.0, =0.0.24, =0.21.0, =0.4.0, =0.55.2, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.34.0 and more Source cves: CVE-2023-30610 Source advisory: OSV:RUSTSEC-2023-0125...

Logs AWS credentials when TRACE-level logging is enabled

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...

Parsing borsh messages with ZST which are not-copy/clone is unsound

Affected versions of borsh cause undefined behavior when zero-sized-types ZST are parsed and the Copy/Clone traits are not implemented/derived. For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy this can be achieved through a singleton, then accessing/writing to...

GHSA-FJX5-QPF4-XJF2 Parsing borsh messages with ZST which are not-copy/clone is unsound

Affected versions of borsh cause undefined behavior when zero-sized-types ZST are parsed and the Copy/Clone traits are not implemented/derived. For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy this can be achieved through a singleton, then accessing/writing to...

CVE-2022-46176 affecting package rust for versions less than 1.68.2-1

CVE-2022-46176 affecting package rust for versions less than 1.68.2-1. An upgraded version of the package is available that resolves this issue...

LicenseStore (=0.1.0), NT-anchor-lang (=0.19.0) +944 more potentially affected by unknown CVE via borsh (>=0.2.10 <=0.9.3)

borsh CARGO version =0.2.10, =0.19.0, =0.4.1, =0.1.0, =0.1.0, =1.0.5, =0.0.1, =0.0.1, =0.0.0-alpha, =0.0.1, =0.0.1-alpha.5 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0033...

Parsing borsh messages with ZST which are not-copy/clone is unsound

Affected versions of borsh cause undefined behavior when zero-sized-types ZST are parsed and the Copy/Clone traits are not implemented/derived. For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy this can be achieved through a singleton, then accessing/writing to...

BeerHolderBot (>=0.1.0 <=0.3.6), GetPDB (>=0.1.0 <=1.0.1) +4573 more potentially affected by CVE-2023-26964 via h2 (>=0.1.26 <=0.3.12)

h2 CARGO version =0.1.26, =0.1.0, =0.1.0, =0.0.2, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.2.0-alpha.0 and more Source cves: CVE-2023-26964 Source advisory: OSV:GHSA-F8VR-R385-RH5R...

GHSA-F8VR-R385-RH5R h2 vulnerable to denial of service

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. It incorrectly processes the HTTP2 RSTSTREAM frames by not always releasing the memory immediately upon receiving the reset frame,...

h2 vulnerable to denial of service

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. It incorrectly processes the HTTP2 RSTSTREAM frames by not always releasing the memory immediately upon receiving the reset frame,...

acari-lib (>=0.1.1 <=0.1.8), agate (=1.1.0) +59 more potentially affected by unknown CVE via tree_magic (=0.2.3)

treemagic CARGO version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on treemagic and may be impacted: - acari-lib =0.1.1, =1.2.0, =0.6.0, =0.1.0, =0.1.0, =1.1.0, =0.10.1, =0.1.0, =0.1.4 - fractal-matrix-api =4.0.0 and more Source cves: unknown...

acari-lib (>=0.1.11 <=0.1.12), acme-rs (>=0.1.0 <=0.2.0) +299 more potentially affected by unknown CVE via multipart (>=0.10.2 <=0.9.1)

multipart CARGO version =0.10.2, =0.1.11, =0.1.0, =0.9.2, =0.2.0, =0.1.0, =0.0.1, =0.1.5, =0.0.1, =0.1.0, =1.0.0, =0.26.1, =0.4.4, =0.26.1 - authenticator =0.3.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0050...

Exploit for Code Injection in Vmware Spring_Cloud_Function

CVE-2022-22963 Exploit This repository contains a Rust-based e...

GHSA-FQ33-VMHV-48XH ntru-rs has unsound FFI: Wrong API usage causes write past allocated area

The following usage causes undefined behavior. rust let kp: ntru::types::KeyPair = …; kp.getpublic.exportDefault::default When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs. Other mistakes e.g. using EncParams from a differe...

ntru-rs has unsound FFI: Wrong API usage causes write past allocated area

The following usage causes undefined behavior. rust let kp: ntru::types::KeyPair = …; kp.getpublic.exportDefault::default When compiled with debug assertions, the code above will trigger a attempt to subtract with overflow panic before UB occurs. Other mistakes e.g. using EncParams from a differe...

ImageMagick 7.1.0-49 - Arbitrary File Read

Exploit Title: ImageMagick 7.1.0-49 - Arbitrary File Read Google Dork: N/A Date: 06/02/2023 Exploit Author: Cristian 'void' Giustini Vendor Homepage: https://imagemagick.org/ Software Link: https://imagemagick.org/ Version: = 7.1.0-49 Tested on: 7.1.0-49 and 6.9.11-60 CVE : CVE-2022-44268 CVE...