Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZqcnEtY2c5eC1yZmpw

High EPSS: 0.00334% (0.55504 Percentile) EPSS:
Permalink JSON

Improper Input Validation in cookie

Affected Packages Affected Versions Fixed Versions
cargo:cookie < 0.7.6 0.7.6
237 Dependent packages
14,536 Dependent repositories
84,872,081 Downloads total

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.2, 0.7.3, 0.7.4, 0.7.5

All unaffected versions

0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.18.0, 0.18.1

Affected versions of this crate use the time crate and the method Duration::seconds to parse the Max-Age duration cookie setting. This method will panic if the value is greater than 2^64/1000 and less than or equal to 2^64, which can result in denial of service for a client or server.

This flaw was corrected by explicitly checking for the Max-Age being in this integer range and clamping the value to the maximum duration value.

References:

Identifiers

GHSA-vjrq-cg9x-rfjp

CVE-2017-18589

Risk

Severity

High

EPSS

EPSS Percentage: 0.00334

EPSS Percentile: 0.55504

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/SergioBenitez/cookie-rs

Date and time

Published

almost 4 years ago

Updated

about 2 years ago

API

JSON