Lucene search
K
RustsecRecent

1141 matches found

RustSec
RustSec
•added 2024/06/24 12:0 p.m.•8 views

The maintainer of chrono-english is unresponsive

All versions will encounter compilation errors with a chrono version 0.4.35, due to backward incompatible API changes. User conradludgade reworked the original crate and created a fork with the same API surface called interim. The fork is better structured and passes the same test suite as...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/06/18 12:0 p.m.•7 views

Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`

Timing variability of any kind is problematic when working with potentially secret values such as elliptic curve scalars, and such issues can potentially leak private keys and other secrets. Such a problem was recently discovered in curve25519-dalek. The Scalar29::sub 32-bit and Scalar52::sub...

5.1CVSS7.2AI score0.00152EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/06/10 12:0 p.m.•6 views

mmap unmaintained

The mmap crate is unmaintained as its repository has been archived on Feb 10, 2022. The main alternative seems to be memmap2 crate...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/06/03 12:0 p.m.•8 views

Reduced entropy due to inadequate character set usage

Description Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the nanoid::base62 and nanoid::base58 functions. Specifically, the base62 function used a character set of 32 symbols instead of the intended 62 symbols, and the base58 function used a...

9.8CVSS7AI score0.00754EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2024/05/22 12:0 p.m.•7 views

Refs and paths with reserved Windows device names access the devices

Summary On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that...

5.4CVSS7.1AI score0.00448EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/22 12:0 p.m.•7 views

Refs and paths with reserved Windows device names access the devices

Summary On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that...

5.4CVSS7.1AI score0.00448EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/22 12:0 p.m.•8 views

Traversal outside working tree enables arbitrary code execution

Summary During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. Details Although gix-worktree-state checks for collisions with existing files, it does not...

8.8CVSS8AI score0.00816EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/22 12:0 p.m.•6 views

Traversal outside working tree enables arbitrary code execution

Summary During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. Details Although gix-worktree-state checks for collisions with existing files, it does not...

8.8CVSS8AI score0.00816EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/22 12:0 p.m.•10 views

Refs and paths with reserved Windows device names access the devices

Summary On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that...

5.4CVSS7.1AI score0.00448EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/22 12:0 p.m.•9 views

Traversal outside working tree enables arbitrary code execution

Summary During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. Details Although gix-worktree-state checks for collisions with existing files, it does not...

8.8CVSS8AI score0.00816EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/17 12:0 p.m.•8 views

BTreeMap memory leak when deallocating nodes with overflows

When storing unbounded types in a BTreeMap, a node is represented as a linked list of "memory chunks". In some cases, when we deallocate a node only the first memory chunk is deallocated, and the rest of the memory chunks remain incorrectly allocated, causing a memory leak. In the worst case,...

7.5CVSS7.1AI score0.00515EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/15 12:0 p.m.•6 views

Tor path lengths too short when "Vanguards lite" configured

Description When building anonymizing circuits to or from an onion service with 'lite' vanguards the default enabled, the circuit manager code would build the circuits with one hop too few. Impact This makes users of this code more vulnerable to some kinds of traffic analysis when they run or vis...

6.2CVSS7.2AI score0.00186EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/15 12:0 p.m.•6 views

Tor path lengths too short when "full Vanguards" configured

Description When building anonymizing circuits to or from an onion service with full vanguards enabled, the circuit manager code would build the circuits with one hop too few. Impact This makes users of this code more vulnerable to some kinds of traffic analysis when they run or visit onion...

7.3CVSS7.2AI score0.00298EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/05/02 12:0 p.m.•5 views

Degraded secret zeroization capabilities

Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies the Dalek crates, which moved secret zeroization capabilities behind a feature flag while vodozemac disabled the default feature set. Impact The degraded...

2.5CVSS6.7AI score0.00135EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/04/24 12:0 p.m.•5 views

Arithmetic overflows in cosmwasm-std

Some mathematical operations in cosmwasm-std use wrapping math instead of panicking on overflow for very big numbers. This can lead to wrong calculations in contracts that use these operations. Affected functions: - Uint256,512::pow / Int256,512::pow - Int256,512::neg Affected if overflow-checks ...

5.3CVSS7.3AI score0.00418EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2024/04/20 12:0 p.m.•9 views

The crate `zip_next` has been renamed to `zip`.

Please switch to the new name. zipnext will receive no further releases...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/04/19 12:0 p.m.•6 views

`rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

If a closenotify alert is received during a handshake, completeio does not terminate. Callers which do not call completeio are not affected. rustls-tokio and rustls-ffi do not call completeio and are not affected. rustls::Stream and rustls::StreamOwned types use completeio and are affected...

7.5CVSS7.1AI score0.00949EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/04/13 12:0 p.m.•5 views

gix-transport indirect code execution via malicious username

Summary gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose...

6.4CVSS8.3AI score0.00514EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/04/06 12:0 p.m.•5 views

`rsa-export` is unmaintained

This crate has been deprecated in favour of using the native support for exporting RSA keys into the standard PEM format. See docs.rs documentation. In addition to that, the operations in this crate arithmetic and Base64 encoding are not done in constant-time, potentially exposing the user to...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/04/05 12:0 p.m.•9 views

`libp2p-tokio-socks5` is unmaintained

Note the repository was archived without an issue so we link directly to the commit that marked the repository as unmaintained. To the best of the original authors knowledge the crate has no vulnerabilities as of the last release, it is just unmaintained due to laziness - new maintainer welcome...

7.2AI score
Exploits0
RustSec
RustSec
•added 2024/04/03 12:0 p.m.•6 views

Degradation of service in h2 servers with CONTINUATION Flood

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage. Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency. Mo...

7AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2024/04/02 12:0 p.m.•8 views

Panic when using a dropped extenref-typed element segment

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5. For more information see the GitHub-hosted security advisory...

5.5CVSS7AI score0.00318EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2024/03/31 12:0 p.m.•5 views

Puccinier is unmainted.

The tool has been deprecated in favor of Catppuccin's new tool, whiskers crates.io...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/30 12:0 p.m.•11 views

Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`

The VariantStrIter::implget function called internally by implementations of the Iterator and DoubleEndedIterator traits for this type was unsound, resulting in undefined behaviour. An immutable reference &p to a mut libc::cchar pointer initialized to NULL was passed as an argument to a C functio...

7.4AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2024/03/20 12:0 p.m.•11 views

yaml-rust is unmaintained.

The maintainer seems unreachable. Many issues and pull requests have been submitted over the years without any response. Alternatives Consider switching to the actively maintained yaml-rust2 fork of the original project: - yaml-rust2 - yaml-rust2 @ crates.io...

7.2AI score
Exploits0
RustSec
RustSec
•added 2024/03/15 12:0 p.m.•7 views

Slow loris vulnerability with default configuration

tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 TcpStreams a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service using...

7.5CVSS7AI score0.00964EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2024/03/05 12:0 p.m.•8 views

Parts of Report are dropped as the wrong type during downcast

In affected versions, after a Report is constructed using wraperr or wraperrwith to attach a message of type D onto an error of type E, then using downcast to recover ownership of either the value of type D or the value of type E, one of two things can go wrong: - If downcasting to E, there remai...

7AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2024/03/05 12:0 p.m.•6 views

Fails to ensure slice elements match the slice's declared type

Affected versions allow populating a DistributedSlice of T with elements of an arbitrary other type that coerces to T. For example, elements of type &&str could end up in a slice of type &str, since &&str coerces to &str via a deref coercion. The flaw was corrected by implementing typechecking fo...

7AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•5 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•5 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•5 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•6 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•6 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•6 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•6 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•7 views

Tokens for named pipes may be delivered after deregistration

Impact When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be...

9.1CVSS7AI score0.00889EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•5 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•8 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•5 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/03/04 12:0 p.m.•6 views

gtk-rs GTK3 bindings - no longer maintained

The gtk-rs GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-rs instead...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/02/28 12:0 p.m.•6 views

Stack buffer overflow with whoami on several Unix platforms

With versions of the whoami crate = 0.5.3 and = 0.5.3 and 1.0.1, calling any of the above functions also leads to a stack buffer overflow on these platforms: - Bitrig - DragonFlyBSD - FreeBSD - NetBSD - OpenBSD This occurs because of an incorrect definition of the passwd struct on those platforms...

7.7AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2024/02/28 12:0 p.m.•4 views

Non-idiomatic use of iterators leads to use after free

Code that attempts to use an item e.g., a row returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. Code that uses the item and then advances the iterator is unaffected. This problem has always existed. This is ...

7.5CVSS7.3AI score0.00817EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/02/27 12:0 p.m.•6 views

ObjectPool creates uninitialized memory when freeing objects

As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage...

7.3AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2024/02/19 12:0 p.m.•7 views

dav1d AV1 decoder integer overflow

An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading to version 0.7.0 of libdav1d-sys, which includes dav1d 1.4.0...

8.8CVSS7.6AI score0.01835EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/02/11 12:0 p.m.•4 views

`generational-arena` is unmaintained

The generational-arena crate's repository has been archived and is no longer maintained. Alternatives - slotmap...

7.2AI score
Exploits0
RustSec
RustSec
•added 2024/02/06 12:0 p.m.•5 views

Memory corruption, denial of service, and arbitrary code execution in libgit2

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are: The gitrevparsesingle function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the...

7.5CVSS8.3AI score0.01443EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/02/06 12:0 p.m.•4 views

Improper comparison of different-length signatures

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification...

6.5CVSS7AI score0.0041EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2024/01/26 12:0 p.m.•4 views

`conrod` is unmaintained

The crate conrod has been deprecated since version 0.62.0 released in December 2018. The functionality was split across multiple different crates, with the core functionality being transferred to conrodcore. An overview can be found in the conrod repository. If you have this crate in your...

7AI score
Exploits0
RustSec
RustSec
•added 2024/01/26 12:0 p.m.•3 views

`conrod_core` is unmaintained

The conrodcore crate is no longer maintained. The author suggests egui as a potential alternative...

7.1AI score
Exploits0
RustSec
RustSec
•added 2024/01/25 12:0 p.m.•4 views

filesystem-rs may be implicitly unmaintained

The last release was over 5 years ago, and the last commit was over 4 years ago. The maintainers have not responded to a pull request to update dependencies that are themselves unmaintained, and which poses the question of maintenance...

7.1AI score
Exploits0
Total number of security vulnerabilities1141