HistoryEdit

RUSTSEC-2019-0003

Out of Memory in stream::read_raw_bytes_into()

Issued
Package
protobuf (crates.io)
Type
Vulnerability
Categories
Keywords
#oom #panic
Aliases
Details
https://github.com/stepancheg/rust-protobuf/issues/411
CVSS Score
7.5 HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patched
  • ^1.7.5
  • >=2.6.0
Affected Functions
Version
protobuf::stream::read_raw_bytes_into
  • <2.6.0

Description

Affected versions of this crate called Vec::reserve() on user-supplied input.

This allows an attacker to cause an Out of Memory condition while calling the vulnerable method on untrusted data.