Reported

June 21, 2018

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

untrusted (crates.io)

Type

Vulnerability

Keywords

#crash

Aliases

• CVE-2018-20989
• GHSA-wq8f-46ww-6c2h

References

• https://github.com/briansmith/untrusted/pull/20

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.6.2

Description

A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted.

Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software.

The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.

Advisory available under CC0-1.0 license.