GHSA-F67M-9J94-QV9J Parser creates invalid uninitialized value

Affected versions of this crate called mem::uninitialized in the HTTP1 parser to create values of type httparse::Header from the httparse crate. This is unsound, since Header contains references and thus must be non-null. The flaw was corrected by avoiding the use of mem::uninitialized, using...

GHSA-RXHX-9FJ6-6H2M enum_map macro can cause UB when `Enum` trait is incorrectly implemented

Affected versions of this crate did not properly check the length of an enum when using enummap! macro, trusting user-provided length. When the LENGTH in the Enum trait does not match the array length in the EnumArray trait, this can result in the initialization of the enum map with uninitialized...

a2 (>=0.3.6 <=0.5.0-alpha.7), abci-rs (=0.2.0) +950 more potentially affected by unknown CVE via crossbeam-channel (>=0.1.3 <=0.3.9)

crossbeam-channel CARGO version =0.1.3, =0.3.6, =0.4.0, =0.5.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.2.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9G55-PG62-M8HH...

GHSA-72R2-RG28-47V9 `read` on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max)

Affected versions of this crate calls a user provided Read implementation on an uninitialized buffer. Read on uninitialized buffer is defined as undefined behavior in Rust...

`read` on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max)

Affected versions of this crate calls a user provided Read implementation on an uninitialized buffer. Read on uninitialized buffer is defined as undefined behavior in Rust...

LemoGUI (=0.0.1-nightly), a2d (>=0.1.0 <=0.1.11) +277 more potentially affected by CVE-2021-45688 via ash (>=0.24.4 <=0.32.1)

ash CARGO version =0.24.4, =0.1.0, =0.1.0, =0.0.1, =0.1.2, =0.1.0, =0.1.0, =0.5.4, =0.2.0, =0.1.0, =0.3.0 - amethyst-navigation =0.1.0 and more Source cves: CVE-2021-45688 Source advisory: OSV:GHSA-QJ69-C89V-JWQ2...

`array!` macro is unsound in presence of traits that implement methods it calls internally

Affected versions of this crate called some methods using auto-ref. The affected code looked like this. rust let mut arr = $crate::core::mem::MaybeUninit::uninit; let mut vec = $crate::ArrayVec::::newarr.asmutptr as mut T; In this case, the problem is that asmutptr is a method of &mut MaybeUninit...

abomonation_derive (>=0.1.0 <=0.5.0), abomonation_derive_ng (=0.1.0) +30 more potentially affected by CVE-2021-45708 via abomonation (>=0.4.6 <=0.7.3)

abomonation CARGO version =0.4.6, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.3.0, =0.1.1, =0.1.1, =0.1.1, =0.1.0, =0.0.2, =0.1.0, =0.2.0, =0.3.1 and more Source cves: CVE-2021-45708 Source advisory: OSV:GHSA-HFXP-P695-629X...

abomonation transmutes &T to and from &[u8] without sufficient constraints

This transmute is at the core of the abomonation crates. It's so easy to use it to violate alignment requirements that no test in the crate's test suite passes under miri. The use of this transmute in serialization/deserialization also incorrectly assumes that the layout of a reprRust type is...

GHSA-HFXP-P695-629X abomonation transmutes &T to and from &[u8] without sufficient constraints

This transmute is at the core of the abomonation crates. It's so easy to use it to violate alignment requirements that no test in the crate's test suite passes under miri. The use of this transmute in serialization/deserialization also incorrectly assumes that the layout of a reprRust type is...

DesignerHelper-rs (>=0.1.0 <=0.1.2), GetPDB (>=0.1.0 <=1.0.1) +6475 more potentially affected by CVE-2019-25010 +1 more via failure (>=0.1.0 <=0.1.8)

failure CARGO version =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.4.0 - abscissacore =0.4.0 and more Source cves: CVE-2019-25010, CVE-2020-25575 Source advisory: OSV:GHSA-JQ66-XH47-J9F3...

Type confusion if __private_get_type_id__ is overriden

An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap...

CVE-2022-31053

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The...

Authentication flaw

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid G-signatures. Such an attack would allow an attacker to create a token with any access level. The...

The many lives of BlackCat ransomware

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service RaaS gig economy. It’s noteworthy due to its unconventional programming language Rust, multiple target devices and possible entry points, and affiliation with prolific...

The many lives of BlackCat ransomware

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service RaaS gig economy. It’s noteworthy due to its unconventional programming language Rust, multiple target devices and possible entry points, and affiliation with prolific...

NT-anchor-spl (>=0.19.0 <=0.19.5), NT-anchor-spl-testnet (=0.19.2) +1605 more potentially affected by CVE-2022-50237 via ed25519-dalek (>=0.9.1 <=2.0.0-pre.0)

ed25519-dalek CARGO version =0.9.1, =0.19.0, =0.4.2, =0.2.0-beta.4, =0.1.0, =0.1.1, =0.1.0, =1.0.5, =0.0.0-alpha, =0.0.1-alpha.1, =0.5.0, =0.5.2, =0.8.0, =0.8.0, =0.8.9 and more Source cves: CVE-2022-50237 Source advisory: OSV:RUSTSEC-2022-0093...

Exploit for Uncontrolled Resource Consumption in Rust-Lang Regex

POC of CVE-2022-24713 on Ubuntu Install the current rust-regex...

Exposure of Sensitive Information to an Unauthorized Actor in MongoDB Rust Driver

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credential...

GHSA-4RJR-3GJ2-5CRQ Exposure of Sensitive Information to an Unauthorized Actor in MongoDB Rust Driver

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credential...