*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-31394
### Vulnerable Library - hyper-0.14.18.crate
Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2023-02-21
Fix Resolution: hyper - v0.14.19
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-26235
### Vulnerable Library - chrono-0.4.19.crate
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Path to dependency file: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Path to vulnerable library: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26964
### Vulnerable Library - hyper-0.14.18.crateA fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.14.18/download
Path to dependency file: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Path to vulnerable library: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Dependency Hierarchy: - lambda_http-0.5.1.crate (Root Library) - lambda_runtime-0.5.1.crate - lambda_runtime_api_client-0.5.0.crate - :x: **hyper-0.14.18.crate** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Publish Date: 2023-04-11
URL: CVE-2023-26964
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-f8vr-r385-rh5r
Release Date: 2023-04-11
Fix Resolution: h2 - 0.3.17
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-31394
### Vulnerable Library - hyper-0.14.18.crateA fast and correct HTTP library.
Library home page: https://crates.io/api/v1/crates/hyper/0.14.18/download
Path to dependency file: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Path to vulnerable library: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Dependency Hierarchy: - lambda_http-0.5.1.crate (Root Library) - lambda_runtime-0.5.1.crate - lambda_runtime_api_client-0.5.0.crate - :x: **hyper-0.14.18.crate** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsHyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks.
Publish Date: 2023-02-21
URL: CVE-2022-31394
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-02-21
Fix Resolution: hyper - v0.14.19
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-26235
### Vulnerable Library - chrono-0.4.19.crateDate and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.19/download
Path to dependency file: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Path to vulnerable library: /tests/integration/awslambda/functions/rust-lambda/Cargo.toml
Dependency Hierarchy: - lambda_http-0.5.1.crate (Root Library) - aws_lambda_events-0.6.2 - :x: **chrono-0.4.19.crate** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Publish Date: 2020-11-24
URL: CVE-2020-26235
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0071.html
Release Date: 2020-11-24
Fix Resolution: chrono - 0.4.20,time - 0.2.23
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)