GHSA-M325-RXJV-PWPH - Vulnerability-Lookup

GHSA-M325-RXJV-PWPH

Vulnerability from github – Published: 2022-06-17 00:11 – Updated: 2023-06-13 18:41

Summary

Deserialization functions pass uninitialized memory to user-provided Read

Details

Affected versions of this crate passed an uninitialized buffer to a user-provided Read instance in:

deserialize_binary
deserialize_string
deserialize_extension_others
deserialize_string_primitive

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "messagepack-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T00:11:41Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of this crate passed an uninitialized buffer to a\nuser-provided `Read` instance in:\n\n* `deserialize_binary`\n* `deserialize_string`\n* `deserialize_extension_others`\n* `deserialize_string_primitive`\n\nThis can result in safe `Read` implementations reading from the uninitialized\nbuffer leading to undefined behavior.",
  "id": "GHSA-m325-rxjv-pwph",
  "modified": "2023-06-13T18:41:50Z",
  "published": "2022-06-17T00:11:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/otake84/messagepack-rs/issues/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/otake84/messagepack-rs"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0092.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Deserialization functions pass uninitialized memory to user-provided Read"
}

ghsa-m325-rxjv-pwph

Vulnerability from osv_rustsec

Published

2021-01-26 12:00

Modified

2023-06-13 13:10

Summary

Deserialization functions pass uninitialized memory to user-provided Read

Details

Affected versions of this crate passed an uninitialized buffer to a user-provided Read instance in:

deserialize_binary
deserialize_string
deserialize_extension_others
deserialize_string_primitive

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-exposure"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "messagepack-rs",
        "purl": "pkg:cargo/messagepack-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2021-45690",
    "CVE-2021-45691",
    "CVE-2021-45692",
    "CVE-2021-45693",
    "GHSA-hr52-f9vp-582c",
    "GHSA-jqjj-r4qp-x2gh",
    "GHSA-jwfh-j623-m97h",
    "GHSA-m325-rxjv-pwph",
    "GHSA-vw5m-qw2r-m923"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of this crate passed an uninitialized buffer to a\nuser-provided `Read` instance in:\n\n* `deserialize_binary`\n* `deserialize_string`\n* `deserialize_extension_others`\n* `deserialize_string_primitive`\n\nThis can result in safe `Read` implementations reading from the uninitialized\nbuffer leading to undefined behavior.",
  "id": "RUSTSEC-2021-0092",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2021-01-26T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/messagepack-rs"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0092.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/otake84/messagepack-rs/issues/2"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Deserialization functions pass uninitialized memory to user-provided Read"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.