Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg3cWgtM2g2Zi13Nzlw

High EPSS: 0.00575% (0.67632 Percentile) EPSS:
Permalink JSON

Unexpected panic in multihash

Affected Packages Affected Versions Fixed Versions
cargo:multihash < 0.11.3 0.11.3
150 Dependent packages
2,847 Dependent repositories
25,945,772 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2

All unaffected versions

0.11.3, 0.11.4, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.19.3

In versions prior 0.11.3 it's possible to make from_slice panic by feeding it certain malformed input. It's never documented that from_slice (and from_bytes which wraps it) can panic, and its' return type (Result<Self, DecodeError>) suggests otherwise. In practice, from_slice/from_bytes is frequently used in networking code and is being called with unsanitized data from untrusted sources. This can allow attackers to cause DoS by causing an unexpected panic in the network client's code..

References:

Identifiers

GHSA-h7qh-3h6f-w79p

CVE-2020-35909

Risk

Severity

High

EPSS

EPSS Percentage: 0.00575

EPSS Percentile: 0.67632

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/multiformats/rust-multihash

Date and time

Published

almost 4 years ago

Updated

about 2 years ago

API

JSON