Open mend-for-github-com[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - hyper-0.13.5.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0027
### Vulnerable Library - tokio-0.2.21.crateAn event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsA soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.
### Threat AssessmentPublish Date: 2023-02-02
URL: WS-2023-0027
Exploit Maturity: Not Defined
EPSS:
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2023-0005.html
Release Date: 2023-02-02
Fix Resolution: tokio - 1.18.5,1.20.4,1.24.2
CVE-2021-45710
### Vulnerable Library - tokio-0.2.21.crateAn event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption. Mend Note: Converted from WS-2021-0424, on 2022-11-07.
Publish Date: 2021-12-26
URL: CVE-2021-45710
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (9.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2021-0124.html
Release Date: 2021-12-27
Fix Resolution: tokio - 1.8.4,1.13.1
CVE-2023-26964
### Vulnerable Libraries - h2-0.2.5.crate, hyper-0.13.5.crate### h2-0.2.5.crate
An HTTP/2.0 client and server
Library home page: https://crates.io/api/v1/crates/h2/0.2.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **h2-0.2.5.crate** (Vulnerable Library) ### hyper-0.13.5.crate
A fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Publish Date: 2023-04-11
URL: CVE-2023-26964
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-f8vr-r385-rh5r
Release Date: 2023-04-11
Fix Resolution: h2 - 0.3.17
CVE-2020-35906
### Vulnerable Library - futures-task-0.3.5.crateTools for working with tasks.
Library home page: https://crates.io/api/v1/crates/futures-task/0.3.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - futures-util-0.3.5.crate - :x: **futures-task-0.3.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the futures-task crate before 0.3.6 for Rust. futures_task::waker may cause a use-after-free in a non-static type situation. Mend Note: Converted from WS-2020-0237, on 2021-01-19.
Publish Date: 2020-12-31
URL: CVE-2020-35906
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-r93v-9p5q-vhpf
Release Date: 2020-12-31
Fix Resolution: futures-task - 0.3.6
CVE-2022-31394
### Vulnerable Library - hyper-0.13.5.crateA fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsHyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
Publish Date: 2023-02-21
URL: CVE-2022-31394
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-02-21
Fix Resolution: hyper - v0.14.19
CVE-2021-38191
### Vulnerable Library - tokio-0.2.21.crateAn event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread. Mend Note: Converted from WS-2021-0178, on 2021-08-09.
Publish Date: 2021-08-08
URL: CVE-2021-38191
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2021-0072.html
Release Date: 2021-08-08
Fix Resolution: tokio - 1.5.1,1.6.3,1.7.2, 1.8.1
CVE-2021-32714
### Vulnerable Library - hyper-0.13.5.crateA fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability Detailshyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a `Transfer-Encoding` header or ensure any upstream proxy rejects `Transfer-Encoding` chunk sizes greater than what fits in 64-bit unsigned integers.
Publish Date: 2021-07-07
URL: CVE-2021-32714
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32714
Release Date: 2021-07-07
Fix Resolution: hyper - 0.14.10
CVE-2020-36471
### Vulnerable Library - generator-0.6.21.crateStackfull Generator Library in Rust
Library home page: https://crates.io/api/v1/crates/generator/0.6.21/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - bytes-0.5.5.crate - loom-0.3.4.crate - :x: **generator-0.6.21.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the generator crate before 0.7.0 for Rust. It does not ensure that a function (for yielding values) has Send bounds. Mend Note: Converted from WS-2020-0290, on 2021-08-09.
Publish Date: 2021-08-08
URL: CVE-2020-36471
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0151.html
Release Date: 2021-08-08
Fix Resolution: generator - 0.7.0
WS-2022-0132
### Vulnerable Library - hyper-0.13.5.crateA fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsThe parser in Hyper before 0.14.12 creates invalid uninitialized value. Affected versions of this crate called mem::uninitialized() in the HTTP1 parser to create values of type httparse::Header (from the httparse crate). This is unsound, since Header contains references and thus must be non-null
Publish Date: 2022-05-10
URL: WS-2022-0132
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
Release Date: 2022-05-10
Fix Resolution: hyper - 0.14.12
CVE-2020-35922
### Vulnerable Library - mio-0.6.22.crateLightweight non-blocking IO
Library home page: https://crates.io/api/v1/crates/mio/0.6.22/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - :x: **mio-0.6.22.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the mio crate before 0.7.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0225, on 2021-01-19.
Publish Date: 2020-12-31
URL: CVE-2020-35922
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0081.html
Release Date: 2020-12-31
Fix Resolution: 0.7.6
CVE-2020-35921
### Vulnerable Library - miow-0.2.1.crateA zero overhead I/O library for Windows, focusing on IOCP and Async I/O abstractions.
Library home page: https://crates.io/api/v1/crates/miow/0.2.1/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **miow-0.2.1.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the miow crate before 0.3.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0229, on 2021-01-19.
Publish Date: 2020-12-31
URL: CVE-2020-35921
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0080.html
Release Date: 2020-12-31
Fix Resolution: miow - 0.2.2,0.3.6
CVE-2020-35920
### Vulnerable Library - net2-0.2.34.crateExtensions to the standard library's networking types as proposed in RFC 1158.
Library home page: https://crates.io/api/v1/crates/net2/0.2.34/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **net2-0.2.34.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the socket2 crate before 0.3.16 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0230, on 2021-01-19.
Publish Date: 2020-12-31
URL: CVE-2020-35920
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-458v-4hrf-g3m4
Release Date: 2020-12-31
Fix Resolution: net2 - 0.2.36, socket2 - 0.3.16
CVE-2020-35919
### Vulnerable Library - net2-0.2.34.crateExtensions to the standard library's networking types as proposed in RFC 1158.
Library home page: https://crates.io/api/v1/crates/net2/0.2.34/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **net2-0.2.34.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the net2 crate before 0.2.36 for Rust. It has false expectations about the std::net::SocketAddr memory representation. Mend Note: Converted from WS-2020-0231, on 2021-01-19.
Publish Date: 2020-12-31
URL: CVE-2020-35919
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html
Release Date: 2020-12-31
Fix Resolution: net2 - 0.2.36
CVE-2021-21299
### Vulnerable Library - hyper-0.13.5.crateA fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.13.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - :x: **hyper-0.13.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability Detailshyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in "request smuggling" or "desync attacks". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly.
Publish Date: 2021-02-11
URL: CVE-2021-21299
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
Release Date: 2021-02-11
Fix Resolution: hyper - 0.13.10,0.14.3
CVE-2020-35905
### Vulnerable Library - futures-util-0.3.5.crateCommon utilities and extension traits for the futures-rs library.
Library home page: https://crates.io/api/v1/crates/futures-util/0.3.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - :x: **futures-util-0.3.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in the futures-util crate before 0.3.7 for Rust. MutexGuard::map can cause a data race for certain closure situations (in safe code).
Publish Date: 2020-12-31
URL: CVE-2020-35905
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (5.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0059.html
Release Date: 2020-12-31
Fix Resolution: futures-util - 0.3.7
WS-2020-0404
### Vulnerable Library - net2-0.2.34.crateExtensions to the standard library's networking types as proposed in RFC 1158.
Library home page: https://crates.io/api/v1/crates/net2/0.2.34/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - mio-0.6.22.crate - :x: **net2-0.2.34.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsThe net2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens. Fixed in version 0.2.36.
Publish Date: 2020-11-07
URL: WS-2020-0404
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html
Release Date: 2020-11-07
Fix Resolution: net2 - 0.2.36
WS-2020-0189
### Vulnerable Library - futures-util-0.3.5.crateCommon utilities and extension traits for the futures-rs library.
Library home page: https://crates.io/api/v1/crates/futures-util/0.3.5/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - :x: **futures-util-0.3.5.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsAffected versions of futures-rs had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U. This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T. The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too. This is affecting future-rs 0.3.2 through 0.3.6 and fixed in futures-rs 0.3.7 onwards.
Publish Date: 2020-11-02
URL: WS-2020-0189
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-11-02
Fix Resolution: 0.3.7
CVE-2023-22466
### Vulnerable Library - tokio-0.2.21.crateAn event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/0.2.21/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - :x: **tokio-0.2.21.crate** (Vulnerable Library)
Found in HEAD commit: 79c87f5e3280775e98dbb5333237c17aad7e2411
Found in base branch: master
### Vulnerability DetailsTokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.
Publish Date: 2023-01-04
URL: CVE-2023-22466
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7
Release Date: 2023-01-04
Fix Resolution: tokio - 1.18.4,1.20.3,1.23.1