Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc1Y3ItZnJwaC1odzdm
Use of uninitialized buffer in rkyv
An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct.
Permalink: https://github.com/advisories/GHSA-w5cr-frph-hw7fJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc1Y3ItZnJwaC1odzdm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-w5cr-frph-hw7f, CVE-2021-31919
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-31919
- https://github.com/djkoloski/rkyv/commit/9c65ae9c2c67dd949b5c3aba9b8eba6da802ab7e
- https://github.com/djkoloski/rkyv/commit/f141b560523a20557db6540576d153010bd18712
- https://rustsec.org/advisories/RUSTSEC-2021-0054.html
- https://github.com/djkoloski/rkyv/issues/113
- https://github.com/advisories/GHSA-w5cr-frph-hw7f
Blast Radius: 26.2
Affected Packages
cargo:rkyv
Dependent packages: 157Dependent repositories: 3,139
Downloads: 15,283,985 total
Affected Version Ranges: < 0.6.0
Fixed in: 0.6.0
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2
All unaffected versions: 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.7.12, 0.7.13, 0.7.14, 0.7.15, 0.7.16, 0.7.17, 0.7.18, 0.7.19, 0.7.20, 0.7.21, 0.7.22, 0.7.23, 0.7.24, 0.7.25, 0.7.26, 0.7.27, 0.7.28, 0.7.29, 0.7.30, 0.7.31, 0.7.32, 0.7.33, 0.7.34, 0.7.35, 0.7.36, 0.7.37, 0.7.38, 0.7.39, 0.7.40, 0.7.41, 0.7.42, 0.7.43, 0.7.44