Filtered by vendor Rust-lang
Subscribe
Total
32 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-36202 | 1 Rust-lang | 1 Async-h1 | 2021-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in the async-h1 crate before 2.3.0 for Rust. Request smuggling can occur when used behind a reverse proxy. | |||||
CVE-2020-26297 | 1 Rust-lang | 1 Mdbook | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it. | |||||
CVE-2020-35920 | 1 Rust-lang | 1 Socket2 | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered in the socket2 crate before 0.3.16 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||||
CVE-2020-35905 | 1 Rust-lang | 1 Future-utils | 2021-01-06 | 1.9 LOW | 4.7 MEDIUM |
An issue was discovered in the futures-util crate before 0.3.7 for Rust. MutexGuard::map can cause a data race for certain closure situations (in safe code). | |||||
CVE-2020-35906 | 1 Rust-lang | 1 Futures-task | 2021-01-06 | 7.2 HIGH | 7.8 HIGH |
An issue was discovered in the futures-task crate before 0.3.6 for Rust. futures_task::waker may cause a use-after-free in a non-static type situation. | |||||
CVE-2020-35908 | 1 Rust-lang | 1 Future-utils | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered in the futures-util crate before 0.3.2 for Rust. FuturesUnordered can lead to data corruption because Sync is mishandled. | |||||
CVE-2020-35907 | 1 Rust-lang | 1 Futures-task | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered in the futures-task crate before 0.3.5 for Rust. futures_task::noop_waker_ref allows a NULL pointer dereference. | |||||
CVE-2019-1010299 | 1 Rust-lang | 1 Rust | 2020-09-30 | 5.0 MEDIUM | 5.3 MEDIUM |
The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d. | |||||
CVE-2019-16760 | 1 Rust-lang | 1 Rust | 2019-10-08 | 5.0 MEDIUM | 7.5 HIGH |
Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are not affected because Cargo understands the `package` key. Users of the affected versions are strongly encouraged to update their compiler to the latest available one. Preventing this issue from happening requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate the issue. | |||||
CVE-2018-1000622 | 1 Rust-lang | 1 Rust | 2019-09-27 | 6.8 MEDIUM | 7.8 HIGH |
The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1. | |||||
CVE-2018-1000810 | 1 Rust-lang | 1 Rust | 2019-01-04 | 7.5 HIGH | 9.8 CRITICAL |
The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard library that can result in buffer overflow. This attack appear to be exploitable via str::repeat, passed a large number, can overflow an internal buffer. This vulnerability appears to have been fixed in 1.29.1. | |||||
CVE-2018-1000657 | 1 Rust-lang | 1 Rust | 2018-10-18 | 4.6 MEDIUM | 7.8 HIGH |
Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no proof-of-concept exploit is currently published.. This vulnerability appears to have been fixed in after commit fdfafb510b1a38f727e920dccbeeb638d39a8e60; stable release 1.22.0 and later. |