GHSA-HR3C-6MMP-6M39
Vulnerability from github – Published: 2021-08-25 20:42 – Updated: 2023-06-13 20:55Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front if, before insertion or removal, the tail of the deque was in the mirrored memory region, and if, after insertion or removal, the head of the deque is exactly at the beginning of the mirrored memory region.
An attacker that controls both element insertion and removal into the deque could put it in a corrupted state. Once the deque enters such an state, its head and tail are corrupted, but in bounds of the allocated memory. This can result in partial reads and writes, reads of uninitialized memory, reads of memory containing previously dropped objects, etc. An attacker could exploit this to alter program execution.
The flaw was corrected by properly updating the head and tail of the deque in this case.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "slice-deque"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-20995"
],
"database_specific": {
"cwe_ids": [
"CWE-119"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:25:30Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Affected versions of this crate did not properly update the head and tail of the deque when inserting and removing elements from the front if, before insertion or removal, the tail of the deque was in the mirrored memory region, and if, after insertion or removal, the head of the deque is exactly at the beginning of the mirrored memory region.\n\nAn attacker that controls both element insertion and removal into the deque could put it in a corrupted state. Once the deque enters such an state, its head and tail are corrupted, but in bounds of the allocated memory. This can result in partial reads and writes, reads of uninitialized memory, reads of memory containing previously dropped objects, etc. An attacker could exploit this to alter program execution.\n\nThe flaw was corrected by properly updating the head and tail of the deque in this case.",
"id": "GHSA-hr3c-6mmp-6m39",
"modified": "2023-06-13T20:55:45Z",
"published": "2021-08-25T20:42:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20995"
},
{
"type": "WEB",
"url": "https://github.com/gnzlbg/slice_deque/issues/57"
},
{
"type": "PACKAGE",
"url": "https://github.com/gnzlbg/slice_deque"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Memory corruption slice-deque"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.