failure-0.1.8.crate: 2 vulnerabilities (highest severity is: 9.3)

[mend-for-github-com[bot]]

Vulnerable Library - failure-0.1.8.crate

Experimental error handling abstraction.

Library home page: https://crates.io/api/v1/crates/failure/0.1.8/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (failure version)	Remediation Possible**	Reachability
CVE-2020-25575	Critical	9.3	Not Defined	0.70000005%	failure-0.1.8.crate	Direct	N/A	❌
CVE-2019-25010	Critical	9.3	Not Defined	0.2%	failure-0.1.8.crate	Direct	N/A	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-25575

### Vulnerable Library - failure-0.1.8.crate

Experimental error handling abstraction.

Library home page: https://crates.io/api/v1/crates/failure/0.1.8/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **failure-0.1.8.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap CVE-2019-25010

Publish Date: 2020-09-14

URL: CVE-2020-25575

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

### CVSS 4 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

CVE-2019-25010

### Vulnerable Library - failure-0.1.8.crate

Experimental error handling abstraction.

Library home page: https://crates.io/api/v1/crates/failure/0.1.8/download

Path to dependency file: /Cargo.toml

Path to vulnerable library: /Cargo.toml

Dependency Hierarchy: - :x: **failure-0.1.8.crate** (Vulnerable Library)

Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411

Found in base branch: master

### Vulnerability Details

An issue was discovered in the failure crate through 2019-11-13 for Rust. Type confusion can occur when __private_get_type_id__ is overridden. Mend Note: Converted from WS-2019-0506, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2019-25010

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 4 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.