Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2NzMtOW13di1md2dx
Out of bounds write in prost
Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. On architectures with stack probes (like x86), this can be used for denial of service attacks, while on architectures without stack probes (like ARM) overflowing the stack is unsound and can result in potential memory corruption (or even RCE).
Permalink: https://github.com/advisories/GHSA-gv73-9mwv-fwgqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2NzMtOW13di1md2dx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-gv73-9mwv-fwgq, CVE-2020-35858
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35858
- https://github.com/danburkert/prost/issues/267
- https://rustsec.org/advisories/RUSTSEC-2020-0002.html
- https://github.com/danburkert/prost/commit/04091d3e745c27590a5f1b7f581793e4159486b5
- https://github.com/advisories/GHSA-gv73-9mwv-fwgq
Blast Radius: 38.1
Affected Packages
cargo:prost
Dependent packages: 1,131Dependent repositories: 7,735
Downloads: 70,156,010 total
Affected Version Ranges: < 0.6.1
Fixed in: 0.6.1
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.6.0
All unaffected versions: 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.2, 0.11.3, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4