Reported

August 1, 2016

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

portaudio (crates.io)

Type

Vulnerability

Keywords

#ssl #mitm

Aliases

• CVE-2016-10933
• GHSA-pq6v-x7gp-7776

References

• https://github.com/RustAudio/rust-portaudio/issues/144

CVSS Score

5.9 MEDIUM

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

None

Availability Impact

None

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

no patched versions

Description

The build script in the portaudio crate will attempt to download via HTTP the portaudio source and build it.

A Mallory in the middle can intercept the download with their own archive and get RCE.

Advisory available under CC0-1.0 license.