CVE-2024-52793 XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems

The Deno Standard Library provides APIs for Deno and the Web. Prior to version 1.0.11, http/file-server's serveDir with showDirListing: true option is vulnerable to cross-site scripting when the attacker is a user who can control file names in the source directory on systems with POSIX file names...

CVE-2024-53432

While parsing certain malformed PLY files, PCL version 1.14.1 crashes due to an uncaught std::outofrange exception in PCLPointCloud2::at. This issue could potentially be exploited to cause a denial-of-service DoS attack when processing untrusted PLY files...

cap-dir-ext (>=0.3.0 <=0.6.0), cap-fs-ext (>=0.7.0 <=0.26.1) +7 more potentially affected by CVE-2024-51756 via cap-async-std (>=0.10.0 <=0.9.0)

cap-async-std CARGO version =0.10.0, =0.3.0, =0.7.0, =0.1.0, =0.1.0, =0.2.0, =0.0.0, =0.5.3, =0.23.0 Source cves: CVE-2024-51756 Source advisory: OSV:GHSA-HXF5-99XG-86HW...

cap-std doesn't fully sandbox all the Windows device filenames

Impact cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so o...

GHSA-HXF5-99XG-86HW cap-std doesn't fully sandbox all the Windows device filenames

Impact cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so o...

CVE-2024-51756

The cap-std project is organized around the eponymous cap-std crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however i...

CVE-2024-51756

The CVE affects cap-std’s Windows filesystem sandbox, where access to special device filenames with superscript digits (e.g., COM¹, LPT⁰) was not blocked, allowing untrusted paths to bypass the sandbox and reach peripheral devices or network-shared resources mapped to those devices. Root cause: t...

CVE-2024-51756 cap-std doesn't fully sandbox all the Windows device filenames

The cap-std project is organized around the eponymous cap-std crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however i...

CVE-2024-51756 cap-std doesn't fully sandbox all the Windows device filenames

The cap-std project is organized around the eponymous cap-std crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however i...

CVE-2024-51756 cap-std doesn't fully sandbox all the Windows device filenames

The cap-std project is organized around the eponymous cap-std crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however i...

CVE-2024-51756

The cap-std project is organized around the eponymous cap-std crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however i...

RUSTSEC-2024-0445 cap-primitives doesn't fully sandbox all the Windows device filenames

Impact cap-primitives's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", a...

assemblylift-cli (>=0.4.0-alpha.5 <=0.4.0-alpha.11), assemblylift-core (>=0.4.0-alpha.10 <=0.4.0-alpha.11) +93 more potentially affected by CVE-2024-51756 via cap-primitives (>=0.10.0 <=3.0.0)

cap-primitives CARGO version =0.10.0, =0.4.0-alpha.5, =0.4.0-alpha.10, =0.1.0, =0.3.0, =0.1.0, =0.7.0, =1.0.11, =0.1.0, =0.1.1, =0.1.0, =0.3.0, =0.5.2, =0.1.1, =0.1.0, =0.1.0, =0.2.3 and more Source cves: CVE-2024-51756 Source advisory: OSV:RUSTSEC-2024-0445...

OSV-2024-1272 Segv on unknown address in std::__1::ios_base::~ios_base

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=371292576 Crash type: Segv on unknown address Crash state: std::1::iosbase::iosbase Poco::Net::MultipartReader::nextPart Poco::Net::MailMessage::readMultipart...

cap-std 路径遍历漏洞

cap-std is a feature-based version of the Rust Standard Library open-sourced by the Bytecode Alliance. A path traversal vulnerability exists in versions of cap-std prior to 3.4.1, which stems from a failure of the file system sandbox implementation on Windows to prevent access to special device...

CVE-2024-43402

Rust is a programming language. The fix for CVE-2024-24576, where std::process::Command incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods...

OSV-2024-914 UNKNOWN READ in boost::re_detail_500::basic_regex_formatter<std::__1::ostream_iterator<char, cha

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66851 Crash type: UNKNOWN READ Crash state: boost::redetail500::basicregexformatter boost::red...

OSV-2024-867 Use-of-uninitialized-value in std::__1::ostreambuf_iterator<char, std::__1::char_traits<char>> std::__1::__pad

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68801 Crash type: Use-of-uninitialized-value Crash state: std::1::ostreambufiterator std::1::pad std::1::basicostream& std::1::putchar ostream...

CVE-2024-43367

Boa is an embeddable and experimental Javascript engine written in Rust. Starting in version 0.16 and prior to version 0.19.0, a wrong assumption made when handling ECMAScript's AsyncGenerator operations can cause an uncaught exception on certain scripts. Boa's implementation of AsyncGenerator...

CVE-2024-43367 Boa has an uncaught exception when transitioning the state of `AsyncGenerator` objects

Boa is an embeddable and experimental Javascript engine written in Rust. Starting in version 0.16 and prior to version 0.19.0, a wrong assumption made when handling ECMAScript's AsyncGenerator operations can cause an uncaught exception on certain scripts. Boa's implementation of AsyncGenerator...