RUSTSEC-2019-0016

Use-after-free in buffer conversion implementation

Reported

September 1, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

chttp (crates.io)

Type

Vulnerability

Keywords

#memory-management #memory-corruption

Aliases

CVE-2019-16140
GHSA-5rrv-m36h-qwf8

References

https://github.com/sagebind/isahc/issues/2

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.1.3

Unaffected

<0.1.1

Description

The From implementation for Vec was not properly implemented, returning a vector backed by freed memory. This could lead to memory corruption or be exploited to cause undefined behavior.

A fix was published in version 0.1.3.

Advisory available under CC0-1.0 license.