CVE-2023-6245 Infinite decoding loop through specially crafted payload

The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For example, if the payload is record ; empty and the canister interface expects record then the Rust candid decoder treats empty as an extra field required by the type. The problem wit...

CVE-2023-46135 Panic in SignedPayload::from_payload

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.innerpayloadlen should not above 64. This vulnerability has been patched in version 0.0.8...

Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service minutes of CPU consumption via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted e.g., thousands of times and the average amoun...

acid-store (>=0.8.0 <=0.14.2), acme-redirect (>=0.4.0 <=0.5.3) +229 more potentially affected by unknown CVE via users (>=0.10.0 <=0.11.0)

users CARGO version =0.10.0, =0.8.0, =0.4.0, =4.3.3, =0.1.0, =1.3.0, =0.9.0, =0.9.0, =0.1.0, =0.6.2, =0.9.0, =0.2.4, =1.0.1, =0.6.0, =0.26.2, =0.35.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-JCR6-4FRQ-9GJJ...

odoh-rs security vulnerability

odoh-rs is a Cloudflare open source library that implements the RFC 9230 Oblivious DNS over HTTPS protocol in Rust. A security vulnerability exists in versions prior to odoh-rs rust crate 1.0.2, which stems from faulty logic during the parsing of encrypted queries, and which can be exploited by a...

CVE-2023-33289

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service ReDos via a crafted URL to lib.rs. NOTE: the Supplier disputes this, taking the position that "Slow printing of URLs is not a CVE."...

Design/Logic Flaw

aws-sigv4 is a rust library for low level request signing in the aws cloud platform. The awssigv4::SigningParams struct had a derived Debug implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is...

CVE-2023-30610

The CVE affects aws-sigv4 in the AWS SDK for Rust: the SigningParams Debug output can expose a user’s AWS access key, secret key, and session token when TRACE-level logging is enabled, allowing credentials to appear in logs. Affected users should upgrade to fixed releases; patches are listed acro...

GHSA-WM8X-PHP5-HVQ6 Maligned causes incorrect deallocation

maligned::alignfirst manually allocates with an alignment larger than T, and then uses Vec::fromrawparts on that allocation to get a Vec. GlobalAlloc::dealloc requires that the layout argument must be the same layout that was used to allocate that block of memory. When deallocating, Box and Vec m...

GHSA-MC8H-8Q98-G5HR Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all

The removedirall crate is a Rust library that offers additional features over the Rust standard library fs::removedirall function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting...

Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all

The removedirall crate is a Rust library that offers additional features over the Rust standard library fs::removedirall function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting...

Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)

The removedirall crate is a Rust library that offers additional features over the Rust standard library fs::removedirall function. It was possible to trick a privileged process doing a recursive delete in an attacker controlled directory into deleting privileged files, on all operating systems. F...

SUSE CVE-2021-21299

hyper is an open-source HTTP library for Rust crates.io. In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple...

auditor (>=0.0.1 <=0.0.2), avrisp (=0.3.0) +29 more potentially affected by unknown CVE via claim (>=0.3.1 <=0.5.0)

claim CARGO version =0.3.1, =0.0.1, =0.1.0, =0.3.0, =0.1.0, =0.2.0, =0.1.1, =0.1.0, =0.0.1, =0.0.2, =0.9.0, =0.8.0, =1.3.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2022-0077...

Slack Morphism 安全漏洞

Slack Morphism is a modern asynchronous client library for Rust that supports Slack Web, Events APIocket Mode, and Block Kit. versions prior to Slack Morphism 1.3.2 have an information disclosure vulnerability that stems from insufficient protection of sensitive information in the application,...

Denial of Service (DoS)

Overview opcua is an OPC UA server / client API implementation for Rust. Affected versions of this package are vulnerable to Denial of Service DoS due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit thi...

Apache Avro 安全漏洞

Apache Avro is a data serialization system of the United States Apache Apache Foundation. It provides data serialization and data exchange services for Apache Hadoop. A security vulnerability exists in Apache Avro Rust SDK prior to version 0.14.0, which originates from consuming more memory than...

Design/Logic Flaw

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...

CVE-2022-29185 Observable Timing Discrepancy in totp-rs

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...

CVE-2022-29185 Observable Timing Discrepancy in totp-rs

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...