Yamux Memory Exhaustion Vulnerability via Active::pending_frames property

Summary Attack scenario The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended to this vector. This can be remotely triggered in a numbe...

GHSA-3999-5FFV-WP2R Yamux Memory Exhaustion Vulnerability via Active::pending_frames property

Summary Attack scenario The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended to this vector. This can be remotely triggered in a numbe...

CVE-2024-32984

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended ...

CVE-2024-32984 Yamux Memory Exhaustion Vulnerability via Active::pending_frames property

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended ...

CVE-2024-32884

gitoxide is a pure Rust implementation of Git. gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clo...

gitoxide 安全漏洞

gitoxide is a git implementation written in Rust by Sebastian Thiel, a solo developer. A security vulnerability exists in gitoxide because gix-transport does not check the username of the URL...

[SECURITY] Fedora 40 Update: rust-1.77.2-1.fc40

Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. This package includes the Rust compiler and documentation generator...

CVE-2024-32650

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::completeio could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a closenotify message immediately after clienthello, the server's completeio will get in an infinite...

[SECURITY] Fedora 38 Update: rust-1.77.2-1.fc38

Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. This package includes the Rust compiler and documentation generator...

EulerOS Virtualization 2.10.1 : libssh2 (EulerOS-SA-2024-1548)

According to the versions of the libssh2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attacke...

Fedora 38 : rust (2024-bbb141c1ed)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-bbb141c1ed advisory. Security fix for CVE-2024-24576 Windows command injection Tenable has extracted the preceding description block directly from the Fedora security...

Exploit for CVE-2024-24576

PoC exploit for CVE-2024-24576, a vulnerability in a specific pr...

Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files

"Test files" associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal. liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying libra...

[SECURITY] Fedora 39 Update: rust-1.77.2-1.fc39

Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. This package includes the Rust compiler and documentation generator...

Exploit for CVE-2024-24576

CVE-2024-24576-Poc-Python A quick POC for the vulnerability di...

Exploit for CVE-2024-24576

CVE-2024-24576 PoC The Command::arg and Command::ar...

CVE-2024-24576

A command injection flaw was found in Rust, exclusive to Windows environments. When invoking batch files on Windows using the Command API, Rust explicitly uses cmd.exe which has complicated parsing rules for arguments. If an attacker can control part of the command arguments of the batch file, th...

CVE-2024-24576

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files with the bat and cmd extensions on Windows using the Command. An attacker able to control the arguments...

CVE-2024-24576 Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files with the bat and cmd extensions on Windows using the Command. An attacker able to control the arguments...

CVE-2024-24576 Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files with the bat and cmd extensions on Windows using the Command. An attacker able to control the arguments...