CVE-2022-36114

CVE-2022-36114 concerns Cargo, Rust’s package manager. The advisory states Cargo does not limit data extracted from compressed archives, enabling a zip-bomb attack when a malicious package is uploaded to an alternate registry. This could exhaust disk space on a machine downloading the package. Th...

CVE-2022-36113 Extracting malicious crates can corrupt arbitrary files

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...

CVE-2022-36113

Cargo vulnerability (CVE-2022-36113): Cargo would extract packages into ~/.cargo and mark success with a .cargo-ok file. A malicious package could include a .cargo-ok symlink; when Cargo wrote ok, it would overwrite the first two bytes of the symlink target, enabling corruption of a single file o...

CVE-2022-36113

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CVE-2022-36114 Extracting malicious crates can fill the file system

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

Ubuntu 20.04 LTS / 22.04 LTS : rust-regex vulnerability (USN-5610-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5610-1 advisory. Addison Crump discovered that rust-regex did not properly limit the complexity of the regular expressions regex it parses. An attacker could possibly...

GHSA-C439-CHV8-8G2J `os_socketaddr` invalidly assumes the memory layout of std::net::SocketAddr

The ossocketaddr crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. These layout were changed into idiomatic rust...

ahecha (>=0.0.5 <=0.0.9), ahecha_html (>=0.0.2 <=0.0.8) +79 more potentially affected by CVE-2022-3212 via axum-core (=0.1.2)

axum-core CARGO version =0.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on axum-core and may be impacted: - ahecha =0.0.5, =0.0.2, =0.0.2, =0.1.0, =3.0.14, =0.14.0, =0.33.0, =0.4.0, =0.1.0, =0.1.1 - axum-client-ip =0.1.0 - axum-core =0.2.0 and more...

cargo-travis (>=0.0.10 <=0.0.11), cargo-travis-fork (>=0.0.11 <=0.0.12) potentially affected by unknown CVE via badge (>=0.2.0 <=0.3.0)

badge CARGO version =0.2.0, =0.0.10, =0.0.11, =0.0.12 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2022-0057...

RUSTSEC-2022-0052 `os_socketaddr` invalidly assumes the memory layout of std::net::SocketAddr

The ossocketaddr crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. These layout were changed into idiomatic rust...

alass-util (=0.3.0), assembly-data (>=0.2.0 <=0.3.0-beta.0) +57 more potentially affected by unknown CVE via mapr (=0.8.0)

mapr CARGO version =0.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on mapr and may be impacted: - alass-util =0.3.0 - assembly-data =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.3.0, =0.101.0, =0.37.0, =0.101.0, =0.4.0, =0.37.0, =0.40.0, =0.40.0,...

opcua 安全漏洞

opcua is a client and server implementation of the OPC UA specification written in Rust. A security vulnerability exists in opcua that stems from the lack of a limit on the number of received blocks total number per session or across all concurrent sessions...

Denial of Service (DoS)

Overview opcua is an OPC UA server / client API implementation for Rust. Affected versions of this package are vulnerable to Denial of Service DoS due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit thi...

The vulnerability of the `std::fs::remove_dir_all` function in the Rust programming language allows a malicious actor to delete any system files and directories they desire.

The vulnerability of the std::fs::removedirall function in the Rust programming language is related to synchronization errors when using a shared resource. Exploiting this vulnerability could allow an attacker to delete arbitrary system files and directories...

Ropr - A Blazing Fast Multithreaded ROP Gadget Finder. Ropper / Ropgadget Alternative

ropr is a blazing fast multithreaded ROP Gadget finder What is a ROP Gadget? ROP Return Oriented Programming Gadgets are small snippets of a few assembly instructions typically ending in a ret instruction which already exist as executable code within each binary or library. These gadgets may be...

Exploit for Improper Privilege Management in Wfs Heaven_Burns_Red

EvilWfshbr CVE-2022-42046https://vulners.com/cve/CVE-2022-...

Fedora: Security Advisory for rust-ffsend (FEDORA-2022-163bcf190f)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Fedora: Security Advisory for rust-ffsend (FEDORA-2022-dfa24fa7d4)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: rust-ffsend-0.2.71-3.fc35

Easily and securely share files from the command line. A fully featured Firef ox Send client...