Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg2N3gtdmc5bS02NWMz

Critical EPSS: 0.00476% (0.63999 Percentile) EPSS:
Permalink JSON

Integer overflow in base64

Affected Packages Affected Versions Fixed Versions
cargo:base64 < 0.5.2 0.5.2
4,847 Dependent packages
60,264 Dependent repositories
652,278,479 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1

All unaffected versions

0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.21.5, 0.21.6, 0.21.7, 0.22.0, 0.22.1

Affected versions of this crate suffered from an integer overflow bug when
calculating the size of a buffer to use when encoding base64 using the
encode_config_buf and encode_config functions. If the input string
was large, this would cause a buffer to be allocated that was too small.
Since this function writes to the buffer using unsafe code, it would
allow an attacker to write beyond the buffer, causing memory corruption
and possibly the execution of arbitrary code.

This flaw was corrected by using checked arithmetic to calculate
the size of the buffer.

References:

Identifiers

GHSA-x67x-vg9m-65c3

CVE-2017-1000430

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00476

EPSS Percentile: 0.63999

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/alicemaz/rust-base64

Date and time

Published

almost 4 years ago

Updated

over 2 years ago

API

JSON