AsgoreCore (>=0.1.0 <=0.1.2), RustyBox (=0.1.0) +210 more potentially affected by unknown CVE via clipboard (>=0.1.2 <=0.5.0)

clipboard CARGO version =0.1.2, =0.1.0, =0.1.0, =0.6.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0, =0.8.0, =0.3.0, =0.4.0, =0.8.0, =0.15.3 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2022-0056...

Malicious Package

Overview rust-functions is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package wa...

Malicious Package

Overview rust-docs is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

Malicious Package

Overview example-rust is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

Malicious code in example-rust (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3ea3b88110c6d99f6f13c45a70f1a3a66f9c32da09f15db73f1a166c2cbfa080 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2912 Malicious code in example-rust (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3ea3b88110c6d99f6f13c45a70f1a3a66f9c32da09f15db73f1a166c2cbfa080 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-W3VW-CCC5-QR8V Use After Free in Context::start_auth_session

Impact This issue only applies to applications starting authorization sessions using an explicit initial nonce. When Context::startauthsession was called with a nonce argument value of Some..., the nonce pointer passed down through FFI to EsysStartAuthSession would be a dangling pointer, left ove...

Use After Free in Context::start_auth_session

Impact This issue only applies to applications starting authorization sessions using an explicit initial nonce. When Context::startauthsession was called with a nonce argument value of Some..., the nonce pointer passed down through FFI to EsysStartAuthSession would be a dangling pointer, left ove...

GHSA-75RW-34Q6-72CR Signature forgery in Biscuit

Impact The paper Cryptanalysis of Aggregate Γ-Signature and Practical Countermeasures in Application to Bitcoin defines a way to forge valid Γ-signatures, an algorithm that is used in the Biscuit specification version 1. It would allow an attacker to create a token with any access level. As Biscu...

actix-lua (=0.2.0), age (>=0.5.0 <=0.6.1) +99 more potentially affected by CVE-2021-45712 via rust-embed (>=0.5.2 <=5.9.0)

rust-embed CARGO version =0.5.2, =0.5.0, =0.0.0, =0.1.0, =0.5.1, =0.1.0, =0.2.0, =0.1.0, =1.0.1, =0.1.0, =1.0.0, =0.1.31, =0.1.36 and more Source cves: CVE-2021-45712 Source advisory: OSV:GHSA-CGW6-F3MJ-H742...

abstract-boot (>=0.2.0-beta.4 <=0.2.0-beta.7), ace-test-lib (=0.1.0) +711 more potentially affected by unknown CVE via rust-crypto (=0.2.36)

rust-crypto CARGO version =0.2.36 is affected by a known vulnerability. The following packages have a transitive dependency on rust-crypto and may be impacted: - abstract-boot =0.2.0-beta.4, =0.0.1, =0.0.1, =0.1.0, =0.0.1, =0.1.0, =0.2.0, =0.8.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.3.0 and more...

Miscomputation when performing AES encryption in rust-crypto

The following Rust program demonstrates some strangeness in AES encryption - if you have an immutable key slice and then operate on that slice, you get different encryption output than if you operate on a copy of that key. For these functions, we expect that extending a 16 byte key to a 32 byte k...

GHSA-JP3W-3Q88-34CF Miscomputation when performing AES encryption in rust-crypto

The following Rust program demonstrates some strangeness in AES encryption - if you have an immutable key slice and then operate on that slice, you get different encryption output than if you operate on a copy of that key. For these functions, we expect that extending a 16 byte key to a 32 byte k...

GHSA-JF5H-CF95-W759 Optional `Deserialize` implementations lacking validation

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to: Undefined behavior in asstring methods which use std::str::fromutf8unchecked internally. Panics due to failed...

Optional `Deserialize` implementations lacking validation

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to: Undefined behavior in asstring methods which use std::str::fromutf8unchecked internally. Panics due to failed...

A malicious coder can get unsound access to TCell or TLCell memory

This is impossible to do by accident, but by carefully constructing marker types to be covariant, a malicious coder can cheat the singleton check in TCellOwner and TLCellOwner, giving unsound access to cell memory. This could take the form of getting two mutable references to the same memory, or ...

GHSA-9C9F-7X9P-4WQP A malicious coder can get unsound access to TCell or TLCell memory

This is impossible to do by accident, but by carefully constructing marker types to be covariant, a malicious coder can cheat the singleton check in TCellOwner and TLCellOwner, giving unsound access to cell memory. This could take the form of getting two mutable references to the same memory, or ...

Use after free in Neon external buffers

Neon provides functionality for creating JavaScript ArrayBuffer and the Buffer subtype instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from...

GHSA-8MJ7-WXMC-F424 Use after free in Neon external buffers

Neon provides functionality for creating JavaScript ArrayBuffer and the Buffer subtype instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from...

`mopa` is technically unsound

The mopa crate redefines the deprecated TraitObject struct from core::raw like so: rust reprC deriveCopy, Clone dochidden pub struct TraitObject pub data: mut , pub vtable: mut , This is done to then transmute a reference to a trait object &dyn Trait for any trait Trait into this struct and...