Design/Logic Flaw

Rust-WebSocket is a WebSocket RFC6455 library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based...

CVE-2022-35922 Memory allocation based on untrusted length in rust-websocket

Rust-WebSocket is a WebSocket RFC6455 library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based...

CVE-2022-35922 Memory allocation based on untrusted length in rust-websocket

Rust-WebSocket is a WebSocket RFC6455 library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based...

CVE-2022-35922

Rust-WebSocket (rust-websocket) prior to 0.26.5 is vulnerable: untrusted data during dataframe parsing can drive an allocation based on a declar ed size, causing an OOM abort in the sync (non-Tokio) path; the async path does not use Vec::with_capacity, so DoS is tied to delivered oversized data. ...

CVE-2022-35922 Memory allocation based on untrusted length in rust-websocket

Rust-WebSocket is a WebSocket RFC6455 library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based...

CVE-2022-31173

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually...

CVE-2022-31173

CVE-2022-31173 affects the Juniper GraphQL server library for Rust. Affected versions are vulnerable to uncontrolled recursion, causing a program crash (denial of service). The issue is addressed in version 0.15.10; users should upgrade. If upgrading is not possible, a manual limit on recursion d...

CVE-2022-31173 Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually...

Unbounded memory allocation based on untrusted length

Impact Untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When...

RUSTSEC-2022-0035 Unbounded memory allocation based on untrusted length

Impact Untrusted websocket connections can cause an out-of-memory OOM process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When...

graphql-rust 资源管理错误漏洞

graphql-rust is a Rust-based GraphQL server library. A resource management error vulnerability exists in versions of graphql-rust Juniper prior to 0.15.10, which stems from vulnerability to uncontrolled recursion that can cause a program to crash...

Rust-WebSocket 资源管理错误漏洞

Rust-WebSocket is a Rust-based WebSocket library. A resource management error vulnerability exists in Rust-WebSocket versions prior to 0.26.5, which stems from the fact that an untrusted websocket connection may cause an out-of-memory OOM process to abort on the client or server. The root cause o...

automaat-processor-git-clone (=0.1.0), automaat-processor-http-request (=0.1.0) +49 more potentially affected by CVE-2022-31173 via juniper (>=0.10.0 <=0.15.1)

juniper CARGO version =0.10.0, =0.3.0-development-1, =0.3.0-development-1, =0.3.0-development-1, =0.3.0-development-1, =0.3.0-development-2 and more Source cves: CVE-2022-31173 Source advisory: OSV:GHSA-4RX6-G5VG-5F3J...

apollo-gateway-rs (>=0.7.5 <=0.7.6), aqlgen (>=0.1.0 <=0.8.0) +61 more potentially affected by unknown CVE via async-graphql (>=1.13.4 <=4.0.16)

async-graphql CARGO version =1.13.4, =0.7.5, =0.1.0, =0.1.0, =0.1.0, =0.0.1-alpha+3, =0.1.0, =2.9.13, =0.1.0-beta.0, =2.9.12, =0.2.0, =1.14.10, =0.1.0, =1.0.0, =4.0.16 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XQ3C-8GQM-V648...

automaat-processor-git-clone (=0.1.0), automaat-processor-http-request (=0.1.0) +49 more potentially affected by CVE-2022-31173 via juniper (>=0.10.0 <=0.15.1)

juniper CARGO version =0.10.0, =0.3.0-development-1, =0.3.0-development-1, =0.3.0-development-1, =0.3.0-development-1, =0.3.0-development-2 and more Source cves: CVE-2022-31173 Source advisory: OSV:RUSTSEC-2022-0038...

hotg-rune-runtime (>=0.11.0 <=0.11.3), hotg-rune-wasm3-runtime (>=0.6.0 <=0.10.0) +7 more potentially affected by CVE-2022-34529 via wasm3 (>=0.1.3 <=0.3.1)

wasm3 CARGO version =0.1.3, =0.11.0, =0.6.0, =0.7.0, =0.4.0, =0.2.0, =0.0.1, =0.16.0, =0.15.0, =0.19.0 Source cves: CVE-2022-34529 Source advisory: OSV:GHSA-GQ4P-4HXV-5RG9...

ehsm (>=0.1.0 <=0.1.1), ic-identity-hsm (>=0.2.0 <=0.23.2) +4 more potentially affected by unknown CVE via pkcs11 (=0.5.0)

pkcs11 CARGO version =0.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on pkcs11 and may be impacted: - ehsm =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.0.1, =0.2.1 - tpm-change-pin =0.1.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2022-0034...

Information disclosure

Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of printing sensitive...

auto-wasi (=0.1.0), ceres-executor (>=0.1.0 <=0.2.0) +79 more potentially affected by CVE-2022-23636 +1 more via wasmtime (>=0.10.0 <=0.37.0)

wasmtime CARGO version =0.10.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.40.1, =0.45.0, =0.1.0, =0.1.0, =0.1.0, =0.1.7 - lunatic-common-api =0.9.0 and more Source cves: CVE-2022-23636, CVE-2022-31169 Source advisory: OSV:GHSA-7F6X-JWH5-M9R4...

CVE-2022-31162 Slack Morphism for Rust before 0.41.0 can accidentally leak Slack OAuth client information in application debug logs

Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of printing sensitive...