Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnd2YtcjJqai0yY2N2
Use after free in heapless
An issue was discovered in the heapless crate before 0.6.1 for Rust. The IntoIter Clone implementation clones an entire underlying Vec without considering whether it has already been partially consumed.
Permalink: https://github.com/advisories/GHSA-qgwf-r2jj-2ccvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnd2YtcjJqai0yY2N2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-qgwf-r2jj-2ccv, CVE-2020-36464
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36464
- https://github.com/japaric/heapless/issues/181
- https://rustsec.org/advisories/RUSTSEC-2020-0145.html
- https://github.com/advisories/GHSA-qgwf-r2jj-2ccv
Blast Radius: 25.1
Affected Packages
cargo:heapless
Dependent packages: 381Dependent repositories: 2,239
Downloads: 11,746,896 total
Affected Version Ranges: < 0.6.1
Fixed in: 0.6.1
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0
All unaffected versions: 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.7.12, 0.7.13, 0.7.14, 0.7.15, 0.7.16, 0.7.17, 0.8.0