Vulnerable Library - bumpalo-3.10.0.crate

A fast bump allocation arena for Rust.

Library home page: https://crates.io/api/v1/crates/bumpalo/3.10.0/download

Dependency Hierarchy:

• criterion-0.3.6.crate (Root Library)
  • plotters-0.3.1.crate
    • wasm-bindgen-0.2.82.crate
      • wasm-bindgen-macro-0.2.82.crate
        • wasm-bindgen-macro-support-0.2.82.crate
          • wasm-bindgen-backend-0.2.82.crate
            • ❌ bumpalo-3.10.0.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.

Publish Date: 2023-01-14

URL: WS-2023-0006

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html

Release Date: 2023-01-14

Fix Resolution: bumpalo - 3.11.1

Vulnerable Library - crossbeam-deque-0.8.0.crate

Concurrent work-stealing deque

Library home page: https://crates.io/api/v1/crates/crossbeam-deque/0.8.0/download

Dependency Hierarchy:

• criterion-0.3.5.crate (Root Library)
  • rayon-1.5.0.crate
    • rayon-core-1.9.0.crate
      • ❌ crossbeam-deque-0.8.0.crate (Vulnerable Library)

Found in HEAD commit: 676856c55c4793c3a89c1fe91bf47083f68eb987

Found in base branch: master

Vulnerability Details

crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using Stealer::steal, Stealer::steal_batch, or Stealer::steal_batch_and_pop are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.

Publish Date: 2021-08-02

URL: CVE-2021-32810

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pqqp-xmhj-wgcw

Release Date: 2021-08-02

Fix Resolution: crossbeam-deque - 0.7.4, 0.8.1

Vulnerable Library - regex-1.4.2.crate

An implementation of regular expressions for Rust. This implementation uses finite automata and guarantees linear time matching on all inputs.

Library home page: https://crates.io/api/v1/crates/regex/1.4.2/download

Dependency Hierarchy:

• criterion-0.3.5.crate (Root Library)
  • ❌ regex-1.4.2.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.

Publish Date: 2022-03-08

URL: CVE-2022-24713

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-m5pq-gvj9-9vr8

Release Date: 2022-03-08

Fix Resolution: regex - 1.5.5

Vulnerable Library - chrono-0.4.19.crate

Date and time library for Rust

Library home page: https://crates.io/api/v1/crates/chrono/0.4.19/download

Dependency Hierarchy:

• ❌ chrono-0.4.19.crate (Vulnerable Library)

Found in HEAD commit: 6452c9104c4246f0d667cc556434990670c20d0a

Found in base branch: master

Vulnerability Details

In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.

Publish Date: 2020-11-24

URL: CVE-2020-26235

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - bumpalo-3.4.0.crate

A fast bump allocation arena for Rust.

Library home page: https://crates.io/api/v1/crates/bumpalo/3.4.0/download

Dependency Hierarchy:

• criterion-0.3.5.crate (Root Library)
  • plotters-0.3.1.crate
    • wasm-bindgen-0.2.78.crate
      • wasm-bindgen-macro-0.2.78.crate
        • wasm-bindgen-macro-support-0.2.78.crate
          • wasm-bindgen-backend-0.2.78.crate
            • ❌ bumpalo-3.4.0.crate (Vulnerable Library)

Found in HEAD commit: 676856c55c4793c3a89c1fe91bf47083f68eb987

Found in base branch: master

Vulnerability Details

An issue was discovered in the bumpalo crate before 3.2.1 for Rust. The realloc feature allows the reading of unknown memory. Attackers can potentially read cryptographic keys.

Publish Date: 2020-12-31

URL: CVE-2020-35861

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0006.html

Release Date: 2020-12-31

Fix Resolution: bumpalo - 3.2.1

Vulnerable Library - crossbeam-utils-0.8.1.crate

Utilities for concurrent programming

Library home page: https://crates.io/api/v1/crates/crossbeam-utils/0.8.1/download

Dependency Hierarchy:

• criterion-0.3.5.crate (Root Library)
  • rayon-1.5.0.crate
    • rayon-core-1.9.0.crate
      • crossbeam-deque-0.8.0.crate
        • crossbeam-epoch-0.9.1.crate
          • ❌ crossbeam-utils-0.8.1.crate (Vulnerable Library)

Found in HEAD commit: 3b28390b3f71b4378b7b2232e7e11db1333da232

Found in base branch: master

Vulnerability Details

crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of {i,u}64 was always the same as Atomic{I,U}64. However, the alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64. This can cause unaligned memory accesses and data race. Crates using fetch_* methods with AtomicCell<{i,u}64> are affected by this issue. 32-bit targets without Atomic{I,U}64 and 64-bit targets are not affected by this issue. This has been fixed in crossbeam-utils 0.8.7. There are currently no known workarounds.

Publish Date: 2022-02-15

URL: CVE-2022-23639

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qc84-gqf4-9926

Release Date: 2022-02-15

Fix Resolution: crossbeam-utils - 0.8.7