GHSA-J8Q9-5RP9-4MV9 Fix a use-after-free bug in diesels Sqlite backend

An issue was discovered in the diesel crate before 1.4.6 for Rust. There is a use-after-free in the SQLite backend because the semantics of sqlite3columnname are not followed...

Async-h1 request smuggling possible with long unread bodies

An issue was discovered in the async-h1 crate before 2.3.0 for Rust. Request smuggling can occur when used behind a reverse proxy...

AskAI (=0.1.0), BeerHolderBot (>=0.1.0 <=0.3.8) +26495 more potentially affected by CVE-2020-35905 via futures-util (=0.3.32)

futures-util CARGO version =0.3.32 is affected by a known vulnerability. The following packages have a transitive dependency on futures-util and may be impacted: - AskAI =0.1.0 - BeerHolderBot =0.1.0, =0.1.0, =1.0.2, =0.1.0, =0.1.0, =0.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2020-35905 Sour...

GHSA-RH4W-94HH-9943 MutexGuard::map can cause a data race in safe code

Affected versions of the crate had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U. This could of led to data races in safe Rust code when a closure used in MutexGuard::map returns U that is unrelated to T. The issue was...

MutexGuard::map can cause a data race in safe code

Affected versions of the crate had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U. This could of led to data races in safe Rust code when a closure used in MutexGuard::map returns U that is unrelated to T. The issue was...

GHSA-9PQX-G3JH-QPQQ Dangling reference in `access::Map` with Constant

An issue has been discovered in the arc-swap crate before 0.4.8 and 1.x before 1.1.0 for Rust. Use of arcswap::access::Map with the Constant test helper or with a user-supplied implementation of the Access trait could sometimes lead to dangling references being returned by the map...

Dangling reference in `access::Map` with Constant

An issue has been discovered in the arc-swap crate before 0.4.8 and 1.x before 1.1.0 for Rust. Use of arcswap::access::Map with the Constant test helper or with a user-supplied implementation of the Access trait could sometimes lead to dangling references being returned by the map...

cargo-apk (>=0.3.1 <=0.4.0), cargo-authors (>=0.0.1 <=0.4.0) +33 more potentially affected by CVE-2019-16760 via cargo (>=0.10.0 <=0.26.0)

cargo CARGO version =0.10.0, =0.3.1, =0.0.1, =0.1.0, =0.1.0, =0.2.2, =0.1.1, =0.3.0, =0.1.0, =0.1.2, =0.1.0, =0.1.0, =0.4.0, =0.1.1, =0.5.1, =0.1.0, =0.2.1 and more Source cves: CVE-2019-16760 Source advisory: OSV:GHSA-9F3P-WVJ7-Q82X...

GHSA-9F3P-WVJ7-Q82X Cargo prior to Rust 1.26.0 may download the wrong dependency

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the package configuration key. Usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency,...

Cargo prior to Rust 1.26.0 may download the wrong dependency

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the package configuration key. Usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency,...

RUSTSEC-2022-0028 Use after free in Neon external buffers

Neon provides functionality for creating JavaScript ArrayBuffer and the Buffer subtype instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from...

Use after free in Neon external buffers

Neon provides functionality for creating JavaScript ArrayBuffer and the Buffer subtype instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from...

Solana Rbpf 输入验证错误漏洞

Solana Rbpf is a Rust Virtual Machine and Jit compiler for Ebpf programs from the Solana Foundation in Switzerland. A security vulnerability exists in Solana Rbpf versions prior to 0.2.29, which stems from an integer overflow problem. An attacker can exploit this vulnerability to cause a program ...

CVE-2019-15551

An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity...

CVE-2021-45707

An issue was discovered in the nix crate before 0.20.2, 0.21.x before 0.21.2, and 0.22.x before 0.22.2 for Rust. unistd::getgrouplist has an out-of-bounds write if a user is in more than 16 /etc/groups groups...

CVE-2022-29185

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...

Design/Logic Flaw

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...

CVE-2022-29185

CVE-2022-29185 affects the Rust library totp-rs. Prior to version 1.1.0, token comparison was not constant time, which could theoretically allow guessing a TOTP token value and reusing it within the same time window, assuming the attacker knew the password. Patch 1.1.0 introduces a constant-time ...

CVE-2022-29185 Observable Timing Discrepancy in totp-rs

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...

CVE-2022-29185 Observable Timing Discrepancy in totp-rs

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...