RUSTSEC-2023-0118 `win_run_rs` was removed from crates.io for malicious code

This crate was part of a typosquatting malware cluster published by the user Kraded to run an arbitrary malware payload on Windows hosts. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available...

cpython-json (>=0.1.0 <=0.3.0), crowbar (>=0.1.0 <=0.2.0) +33 more potentially affected by unknown CVE via cpython (>=0.1.0 <=0.7.2)

cpython CARGO version =0.1.0, =0.1.0, =0.1.0, =0.1.0, =2.0.0-beta, =0.1.0, =0.0.0, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.2.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0076...

rusty_paseto vulnerable to private key extraction due to ed25519-dalek dependency

Impact The vulnerability, known as RUSTSEC-2022-0093, impacts the ed25519-dalek crate, which is a dependency of the rusty-paseto crate. This issue arises from a "Double Public Key Signing Function Oracle Attack" affecting versions of ed25519-dalek prior to v2.0. These versions expose an unsafe AP...

GHSA-J57R-4QW6-58R3 rusty_paseto vulnerable to private key extraction due to ed25519-dalek dependency

Impact The vulnerability, known as RUSTSEC-2022-0093, impacts the ed25519-dalek crate, which is a dependency of the rusty-paseto crate. This issue arises from a "Double Public Key Signing Function Oracle Attack" affecting versions of ed25519-dalek prior to v2.0. These versions expose an unsafe AP...

acme-client (>=0.1.0 <=0.2.0), aerial (=0.1.0) +690 more potentially affected by unknown CVE via hpack (>=0.2.0 <=0.3.0)

hpack CARGO version =0.2.0, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.7.0, =0.0.1, =0.1.0, =0.5.0, =0.1.3, =0.1.13 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0084...

HPGO (=0.9.2), algebraics (>=0.1.2 <=0.2.0) +242 more potentially affected by unknown CVE via inventory (>=0.1.10 <=0.1.11)

inventory CARGO version =0.1.10, =0.1.2, =0.11.0, =0.2.0, =0.1.0, =0.6.0, =0.7.0, =0.6.0, =0.5.0, =0.6.0, =0.4.0, =0.6.0, =0.5.0, =0.15.3 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0058...

auto-wasi (=0.1.0), ceres-executor (>=0.1.0 <=0.2.0) +87 more potentially affected by CVE-2023-41880 via wasmtime (>=0.10.0 <=0.9.0)

wasmtime CARGO version =0.10.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.1.0, =0.1.0, =0.1.7 and more Source cves: CVE-2023-41880 Source advisory: OSV:RUSTSEC-2023-0091...

RUSTSEC-2023-0091 Miscompilation of wasm `i64x2.shr_s` instruction with constant input on x86\_64

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gw5p-q8mj-p7gh. For more information see the GitHub-hosted security advisory...

IMAPServer (=0.1.0), actson (>=0.2.0 <=0.3.0) +475 more potentially affected by unknown CVE via lexical (>=2.2.4 <=6.1.1)

lexical CARGO version =2.2.4, =0.2.0, =0.1.0, =0.8.0, =0.1.0, =0.11.0, =0.2.0, =0.1.0, =0.6.0, =0.6.0, =0.6.0, =0.4.0, =0.6.0, =0.15.3 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0055...

fuse-backend-rs (>=0.10.5 <=0.12.0), linux-loader (>=0.8.0 <=0.9.0) +6 more potentially affected by CVE-2023-41051 via vm-memory (>=0.10.0 <=0.11.0)

vm-memory CARGO version =0.10.0, =0.10.5, =0.8.0, =0.6.0, =0.8.0, =0.7.0, =0.4.0, =0.2.0, =1.5.1, =1.6.1 Source cves: CVE-2023-41051 Source advisory: OSV:RUSTSEC-2023-0056...

bitcoin-harness (=0.1.0), bitcoin_rpc_client (>=0.5.0 <=0.6.1) +79 more potentially affected by CVE-2023-53159 via openssl (>=0.10.22 <=0.10.52)

openssl CARGO version =0.10.22, =0.5.0, =0.2.0, =0.0.0, =0.0.1, =0.3.3, =0.6.25, =0.1.0-alpha.0, =0.1.24, =0.37.0, =0.4.0, =0.37.0, =0.37.0, =0.38.0 and more Source cves: CVE-2023-53159 Source advisory: OSV:RUSTSEC-2023-0044...

libpijul (>=0.12.0 <=0.12.1), pijul (>=0.12.0 <=0.12.1) +7 more potentially affected by CVE-2023-53161 via buffered-reader (>=0.11.0 <=0.5.0)

buffered-reader CARGO version =0.11.0, =0.12.0, =0.12.0, =0.1.0, =0.1.0, =0.17.0, =0.2.0, =0.0.1, =0.1.0, =0.4.0 Source cves: CVE-2023-53161 Source advisory: OSV:RUSTSEC-2023-0039...

Undefined Behavior in Rust runtime functions

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7. For more information see the GitHub-hosted security advisory...

RUSTSEC-2023-0092 Undefined Behavior in Rust runtime functions

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7. For more information see the GitHub-hosted security advisory...

aware (>=0.0.1 <=0.0.25), aws-config (>=0.0.22-alpha <=0.15.0) +343 more potentially affected by CVE-2023-30610 via aws-sigv4 (>=0.0.22-alpha <=0.15.1)

aws-sigv4 CARGO version =0.0.22-alpha, =0.0.1, =0.0.22-alpha, =0.0.22-alpha, =0.0.1, =0.0.22-alpha, =0.0.22-alpha, =0.0.22-alpha, =0.0.22-alpha, =0.0.22-alpha, =0.0.22-alpha, =0.0.22-alpha, =0.0.22-alpha, =0.10.1, =0.0.22-alpha, =0.15.0 and more Source cves: CVE-2023-30610 Source advisory:...

BeerHolderBot (>=0.1.0 <=0.3.6), GetPDB (>=0.1.0 <=1.0.1) +4573 more potentially affected by CVE-2023-26964 via h2 (>=0.1.26 <=0.3.12)

h2 CARGO version =0.1.26, =0.1.0, =0.1.0, =0.0.2, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.2.0-alpha.0 and more Source cves: CVE-2023-26964 Source advisory: OSV:RUSTSEC-2023-0034...

acari-lib (>=0.1.1 <=0.1.8), agate (=1.1.0) +59 more potentially affected by unknown CVE via tree_magic (=0.2.3)

treemagic CARGO version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on treemagic and may be impacted: - acari-lib =0.1.1, =1.2.0, =0.6.0, =0.1.0, =0.1.0, =1.1.0, =0.10.1, =0.1.0, =0.1.4 - fractal-matrix-api =4.0.0 and more Source cves: unknown...

core-lib (>=0.1.0 <=0.2.0), eventsourced-nats (>=0.1.0 <=0.6.0) +25 more potentially affected by unknown CVE via async-nats (>=0.10.1 <=0.27.1)

async-nats CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.7.0, =0.26.0, =0.25.0, =0.12.0, =0.9.0, =0.16.0, =0.3.0, =0.4.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0027...

cargo-generate (>=0.13.1 <=0.16.0), cargo-smart-release (>=0.1.0 <=0.2.4) +43 more potentially affected by unknown CVE via git-hash (>=0.10.3 <=0.9.11)

git-hash CARGO version =0.10.3, =0.13.1, =0.1.0, =0.2.11, =11.0.0, =0.12.11, =0.1.0, =0.1.0, =0.3.0, =0.2.0, =0.1.0, =0.1.0, =0.10.0, =0.1.0, =0.1.0, =0.4.3 - git-lock =0.0.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0025...

RUSTSEC-2023-0093 Miscompilation of `i8x16.select` with the same inputs on x86\_64

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw. For more information see the GitHub-hosted security advisory...