Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZxeDctcHc0ci0yOXJy
Out of bounds read in bumpalo
An issue was discovered in the bumpalo crate before 3.2.1 for Rust. The realloc feature allows the reading of unknown memory. Attackers can potentially read cryptographic keys.
Permalink: https://github.com/advisories/GHSA-vqx7-pw4r-29rrJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZxeDctcHc0ci0yOXJy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-vqx7-pw4r-29rr, CVE-2020-35861
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35861
- https://github.com/fitzgen/bumpalo/issues/69
- https://rustsec.org/advisories/RUSTSEC-2020-0006.html
- https://github.com/advisories/GHSA-vqx7-pw4r-29rr
Blast Radius: 35.6
Affected Packages
cargo:bumpalo
Dependent packages: 114Dependent repositories: 55,132
Downloads: 82,712,372 total
Affected Version Ranges: >= 3.0.0, < 3.2.1
Fixed in: 3.2.1
All affected versions: 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.2.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.6.0, 3.2.1, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.11.1, 3.12.0, 3.12.1, 3.12.2, 3.13.0, 3.14.0, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.16.0