CVE-2024-3566

Technical details about CVE-2024-3566 are not provided in the connected documents. The initial description notes a command injection risk, but no affected products, versions, impact, or fixes are specified here. Monitor for updated technical disclosures.

CVE-2022-21658

CVE-2022-21658 affects Rust’s std::fs::remove_dir_all, due to a race condition (CWE-363) that could allow an attacker to trick a privileged process into deleting files/directories outside the target. Affected Rust releases: 1.0.0–1.58.0; patch released in 1.58.1. Impact can be significant for pri...

CVE-2015-20001

In Rust prior to 1.2.0, the standard library’s BinaryHeap is not panic-safe. If the comparison of generic elements inside sift_up or sift_down_range panics, the heap can be left in an inconsistent state, leading to dropping zeroed memory of an arbitrary type and a memory-safety violation. This CV...

CVE-2021-29922

The CVE-2021-29922 issue affects Rust's standard library, specifically library/std/src/net/parser.rs, where extraneous zero characters at the beginning of an IP address string can lead to octal interpretation and bypasses of IP-based access controls. The vulnerability is present in Rust before 1....

CVE-2024-24576

CVE-2024-24576 affects Rust’s standard library on Windows where Command::arg/args escaping for batch files was not thorough enough. This could allow arbitrary shell commands when untrusted input is passed to batch file invocations via cmd.exe, enabling LPE/RCE scenarios as described in PoC and pu...

CVE-2019-12083

The CVE-2019-12083 issue affects the Rust Standard Library 1.34.x prior to 1.34.2, where a stabilized method, if overridden, can violate Rust safety guarantees. Specifically, overriding Error::type_id can allow casting of any type to another, enabling memory-safety vulnerabilities in otherwise sa...

CVE-2018-1000622

CVE-2018-1000622 affects Rust rustdoc: loading plugins from world-writable directories could enable local code execution. AFFECTED: rustdoc versions 0.8 through 1.27.0; exploitation via the --plugin flag without the --plugin-path flag. REMEDY: upgrade to a fixed release (1.27.1 per initial descri...

CVE-2019-16760

CVE-2019-16760 affects Cargo in Rust releases up to 1.25.0, where the package key in Cargo.toml can cause Cargo to download the wrong dependency. This could allow a malicious package to be substituted when building manifests (affecting locally written and crates.io published manifests). The advis...

CVE-2020-36323

CVE-2020-36323 – Rust stdlib string-joining optimization issue : The connected sources confirm a defect in Rust before 1.52.0 where a string-joining optimization could expose uninitialized bytes or cause a crash if the borrowed string changes after its length is checked. This is a security issue ...

CVE-2021-28876

The CVE-2021-28876 issue affects the Rust standard library’s Zip implementation up to Rust 1.51.x, where __iterator_get_unchecked() can be invoked more than once for the same index if the underlying iterator panics. This creates a memory-safety violation risk related to TrustedRandomAccess. Impac...

CVE-2021-28878

CVE-2021-28878 affects the Rust standard library before 1.52.0. The Zip implementation can call __iterator_get_unchecked() more than once for the same index when next_back() and next() are used together, creating a memory-safety vulnerability related to TrustedRandomAccess. Affected releases incl...

CVE-2021-28879

CVE-2021-28879 affects the Rust standard library prior to 1.52.0, specifically the Zip implementation. The bug permits reporting an incorrect size due to an integer overflow, which can cause a buffer overflow when a consumed Zip iterator is used again. The issue is documented across multiple conn...

CVE-2021-31162

CVE-2021-31162 affects the Rust standard library’s Vec::from_iter: a double free can occur if freeing the element panics in Rust versions prior to 1.52.0. Several connected advisories confirm this vulnerability and reference the same underlying issue in the Vec::from_iter path, with impact descri...

CVE-2021-28875

CVE-2021-28875 affects the Rust standard library prior to 1.50.0. In read_to_end(), the return value from Read is not validated in an unsafe context, which can lead to a buffer overflow. Several connected sources corroborate this bug and note the fix involves upgrading Rust to a newer release. Th...

CVE-2020-36318

CVE-2020-36318 affects Rust’s standard library VecDeque::make_contiguous, where a condition can cause the same element to be popped more than once, leading to use-after-free or double-free. Multiple advisories (RHEL/CentOS 8, Rocky Linux, Oracle Linux, CentOS) reference this issue alongside CVE-2...

CVE-2021-28877

The CVE-2021-28877 issue affects the Rust standard library prior to 1.51.0, where the Zip implementation calls __iterator_get_unchecked() for the same index more than once during nested iteration, creating a memory safety violation related to TrustedRandomAccess. Affected: Rust stdlib (Zip path) ...

CVE-2020-36317

The CVE-2020-36317 issue affects the Rust standard library prior to 1.49.0, where String::retain() can panic and allow creation of a non-UTF-8 Rust string. This may cause a memory-safety violation when other APIs assume UTF-8 on the same string. Several connected advisories confirm Rust 1.49.0 or...

CVE-2018-25008

CVE-2018-25008 affects the Rust standard library: Arc::get_mut in Rust versions before 1.29.0 has weak synchronization that can lead to memory-safety issues via race conditions. The connected documents corroborate this description across several sources. The exact affected products/versions beyon...

CVE-2023-40030

Summary (CVE-2023-40030): Cargo could include unescaped Cargo feature names in the timings report, enabling potential cross-site scripting if the report is uploaded to a site that uses credentials. This affects builds using dependencies from git/local paths/alternative registries; crates.io-only ...

CVE-2024-43402

CVE-2024-43402 describes a Rust vulnerability in how Windows batch file names with trailing spaces or periods could bypass the existing mitigation for CVE-2024-24576. The issue arises from how the original fix checked for .bat/.cmd endings, failing to account for Windows normalizing trailing whit...

CVE-2017-20004

CVE-2017-20004 affects the Rust standard library prior to 1.19.0, where a synchronization flaw in the MutexGuard object allows MutexGuards to be used across threads with arbitrary types, enabling memory-safety issues via data races. Affected component: Rust standard library; vulnerable version ra...

CVE-2018-1000810

CVE-2018-1000810 affects the Rust standard library up to version 1.29.0 (including 1.28.0, 1.27.x, etc.), caused by a CWE-680 integer overflow to buffer overflow in the internal handling of str::repeat. The vulnerability could lead to a buffer overflow and is fixed in 1.29.1. Affected products re...

CVE-2018-1000657

CVE-2018-1000657 overview (Rust std::collections::vec_deque::VecDeque::reserve) : The vulnerability affects the Rust standard library’s VecDeque::reserve() function in Rust releases starting with commit bfa0e1f58a… and prior to the fix. The root cause is a buffer overrun that can lead to Arbitrar...

CVE-2019-1010299

CVE-2019-1010299 affects the Rust standard library: Rust 1.18.0 and later. The vulnerability is CWE-200 Information Exposure due to the Debug trait implementation for std::collections::vec_deque::Iter, which could cause contents of uninitialized memory to be printed when debug-printing an iterato...