31 matches found
RUSTSEC-2024-0427 get-size-derive is unmaintained
get-size-derive's maintainer seems to be unreachable, with no commits and releases pushed for 1 year and no activity on the GitHub repo. get-size-derive also depends on attribute-derive ^0.6 a version of the crate which uses the yanked crate proc-macro-error. Possible Alternatives - get-size-deri...
US bans Kaspersky, warns: “Immediately stop using that software”
The US government will ban the sale of Kaspersky antivirus products to new customers in the United States starting July 20, with a follow-on deadline to prohibit the cybersecurity company from providing users with software updates after September 29. The move follows years of allegations that the...
Users vulnerable to unaligned read of `*const *const c_char` pointer
Affected versions dereference a potentially unaligned pointer. The pointer is commonly unaligned in practice, resulting in undefined behavior. In some build modes, this is observable as a panic followed by abort. In other build modes the UB may manifest in some other way, including the possibilit...
Remote code execution
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive insid...
const-cstr is Unmaintained
Last release was about five years ago. The maintainers have been unreachable to respond to any issues that may or may not include security issues. The repository is now archived and there is no security policy in place to contact the maintainers otherwise. No direct fork exist. const-cstr is...
RUSTSEC-2023-0020 const-cstr is Unmaintained
Last release was about five years ago. The maintainers have been unreachable to respond to any issues that may or may not include security issues. The repository is now archived and there is no security policy in place to contact the maintainers otherwise. No direct fork exist. const-cstr is...
json is unmaintained
Last release was almost 3 years ago. The maintainer is unresponsive with outstanding issues. One of the outstanding issues include a possible soundness issue. Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - jzon maintained fork of jso...
RUSTSEC-2022-0036 project abandoned
The r2d2-odbc-api crate might be an alternative...
traitobject is Unmaintained
Crate traitobject has not had a release for over five years. In addition there is an existing security advisory that has not been addressed: - RUSTSEC-2020-0027 Possible Alternatives The below list has not been vetted in any way and may or may not contain alternatives; - destructuretraitobject...
difference is unmaintained
The author of the difference crate is unresponsive. Maintained alternatives: - dissimilar - similar - treediff - diffus...
memmap is unmaintained
The author of the memmap crate is unresponsive. Maintained alternatives: - memmap2...
GHSA-5FF8-JCF9-FW62 Cross-Site Scripting in markdown-it-katex
All versions of markdown-it-katex are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser by triggering an error. Recommendation No fix is currently available. Consider using a...
GHSA-VJVW-WCMW-PR26 Insufficient Entropy in parsel
All versions of parsel use an insecure key derivation function. The package runs keys of arbitrary lengths through one round of SHA256 hashing for key stretching. This allows for the use of keys of insufficient entropy with inappropriate key stretching. Recommendation The package is deprecated an...
Insecure Cryptography Algorithm in parsel
All versions of parsel use an insecure cryptography algorithm. The package uses aes-256-cbc without integrity checks, which renders the ciphertext vulnerable to bit-flipping attacks. Recommendation The package is deprecated and will not be updated. Consider using an alternative package...
GHSA-Q643-W9JP-Q2QG Hardcoded Initialization Vector in parsel
All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. Recommendation The package is deprecated and will not be updated. Consider using an...
Cross-Site Scripting in atlasboard-atlassian-package
All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers being able t...
GHSA-MMQV-M45H-Q2HP Sandbox Breakout / Arbitrary Code Execution in localeval
All versions of localeval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through constructor.constructor. This may allow attackers to execute arbitrary code in the system. Evaluating the payload...
Regular Expression Denial of Service in sql-injection
All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. Recommendation No fix is currently available. Consider using an alternative package...
GHSA-VX5W-CXCH-WWC9 Path Traversal in f-serv
All versions of f-serv are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available...
Cross-Site Scripting in graylog-web-interface
All versions of graylog-web-interface are vulnerable to Cross-Site Scripting XSS. The package fails to escape output on the TypeAhead and QueryInput components, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation No fix is currently available. Conside...