Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXF4anEtdjR3Zi1wcHZo
Out of bounds read in dync
VecCopy::data is created as a Vec of u8 but can be used to store and retrieve elements of different types leading to misaligned access.
The issue was resolved in v0.5.0 by replacing data being stored by Vec with a custom managed pointer. Elements are now stored and retrieved using types with proper alignment corresponding to original types.
Permalink: https://github.com/advisories/GHSA-qxjq-v4wf-ppvhJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXF4anEtdjR3Zi1wcHZo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00044
EPSS Percentile: 0.14502
Identifiers: GHSA-qxjq-v4wf-ppvh, CVE-2020-35903
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35903
- https://github.com/elrnv/dync/issues/4
- https://rustsec.org/advisories/RUSTSEC-2020-0050.html
- https://github.com/advisories/GHSA-qxjq-v4wf-ppvh
Blast Radius: 0.0
Affected Packages
cargo:dync
Dependent packages: 2Dependent repositories: 1
Downloads: 15,872 total
Affected Version Ranges: < 0.5.0
Fixed in: 0.5.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0
All unaffected versions: 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7