Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12MzYyLTI4OTUtaDlyMs0egQ
Use After Free in lru
Lru crate has two functions for getting an iterator. Both iterators give references to key and value. Calling specific functions, like pop(), will remove and free the value, and but it's still possible to access the reference of value which is already dropped causing use after free.
Permalink: https://github.com/advisories/GHSA-v362-2895-h9r2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12MzYyLTI4OTUtaDlyMs0egQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-v362-2895-h9r2, CVE-2021-45720
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45720
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/lru/RUSTSEC-2021-0130.md
- https://rustsec.org/advisories/RUSTSEC-2021-0130.html
- https://github.com/jeromefroe/lru-rs/issues/120
- https://github.com/advisories/GHSA-v362-2895-h9r2
Blast Radius: 28.1
Affected Packages
cargo:lru
Dependent packages: 335Dependent repositories: 5,544
Downloads: 40,178,425 total
Affected Version Ranges: < 0.7.1
Fixed in: 0.7.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0
All unaffected versions: 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.12.3