Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNTdyLWo5OGctNTg3Zs0fig
Pointer dereference in nanorand
An issue was discovered in the nanorand crate before 0.6.1 for Rust. There can be multiple mutable references to the same object because the TlsWyRand Deref implementation dereferences a raw pointer.
Permalink: https://github.com/advisories/GHSA-r57r-j98g-587fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNTdyLWo5OGctNTg3Zs0fig
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r57r-j98g-587f, CVE-2021-45705
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-45705
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/nanorand/RUSTSEC-2021-0114.md
- https://rustsec.org/advisories/RUSTSEC-2021-0114.html
- https://github.com/Absolucy/nanorand-rs/issues/28
- https://github.com/advisories/GHSA-r57r-j98g-587f
Blast Radius: 34.3
Affected Packages
cargo:nanorand
Dependent packages: 57Dependent repositories: 3,176
Downloads: 13,908,151 total
Affected Version Ranges: >= 0.5.0, < 0.6.1
Fixed in: 0.6.1
All affected versions: 0.5.0, 0.5.1, 0.5.2, 0.6.0
All unaffected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.6.1, 0.7.0