Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY5Z3ctaGdqMy00NW03
Memory corruption in smallvec
Attempting to call grow on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures. An attacker that controls the value passed to grow may exploit this flaw to obtain memory contents or gain remote code execution.
Permalink: https://github.com/advisories/GHSA-69gw-hgj3-45m7JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY5Z3ctaGdqMy00NW03
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-69gw-hgj3-45m7, CVE-2019-15554
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15554
- https://github.com/servo/rust-smallvec/issues/149
- https://rustsec.org/advisories/RUSTSEC-2019-0012.html
- https://github.com/advisories/GHSA-69gw-hgj3-45m7
Blast Radius: 47.3
Affected Packages
cargo:smallvec
Dependent packages: 1,343Dependent repositories: 67,564
Downloads: 224,477,213 total
Affected Version Ranges: >= 0.6.3, < 0.6.10
Fixed in: 0.6.10
All affected versions: 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.13.0, 1.13.1, 1.13.2