WS-2020-0404 (Medium) detected in net2-0.2.33.crate

[mend-bolt-for-github[bot]]

WS-2020-0404 - Medium Severity Vulnerability

Vulnerable Library - net2-0.2.33.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.33/download

Path to dependency file: /third_party/rust_crates/vendor/hyper/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/hyper/Cargo.toml,/third_party/rust_crates/vendor/h2/Cargo.toml,/third_party/rust_crates/vendor/flate2/Cargo.toml,/third_party/rust_crates/vendor/hyper-rustls/Cargo.toml,/third_party/rust_crates/vendor/trust-dns-resolver/Cargo.toml

Dependency Hierarchy: - tokio-test-0.2.0.crate (Root Library) - tokio-0.2.13.crate - mio-0.6.21.crate - miow-0.2.1.crate - :x: **net2-0.2.33.crate** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The net2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens. Fixed in version 0.2.36.

Publish Date: 2020-11-07

URL: WS-2020-0404

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html

Release Date: 2020-11-07

Fix Resolution: net2 - 0.2.36

---

Step up your Open Source Security Game with Mend here