GHSA-WQ8F-46WW-6C2H

Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 22:27
VLAI?
Summary
Integer underflow in untrusted
Details

A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.

Severity ?
7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "untrusted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:24:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn\u0027t properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It\u0027s also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.",
  "id": "GHSA-wq8f-46ww-6c2h",
  "modified": "2023-06-13T22:27:01Z",
  "published": "2021-08-25T20:43:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/briansmith/untrusted/pull/20"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/briansmith/untrusted"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Integer underflow in untrusted"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.