Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdxOGYtNDZ3dy02YzJo
Integer underflow in untrusted
A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.
Permalink: https://github.com/advisories/GHSA-wq8f-46ww-6c2hJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdxOGYtNDZ3dy02YzJo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-wq8f-46ww-6c2h, CVE-2018-20989
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-20989
- https://github.com/briansmith/untrusted/pull/20
- https://rustsec.org/advisories/RUSTSEC-2018-0001.html
- https://github.com/advisories/GHSA-wq8f-46ww-6c2h
Blast Radius: 32.4
Affected Packages
cargo:untrusted
Dependent packages: 116Dependent repositories: 20,963
Downloads: 104,683,544 total
Affected Version Ranges: < 0.6.2
Fixed in: 0.6.2
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.5.0, 0.5.1, 0.6.0, 0.6.1
All unaffected versions: 0.6.2, 0.7.0, 0.7.1, 0.8.0, 0.9.0