RUSTSEC-2019-0018

Internally mutating methods take immutable ref self

Reported

September 2, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

renderdoc (crates.io)

Type

Vulnerability

Keywords

#undefined_behavior

Aliases

References

https://github.com/ebkalderon/renderdoc-rs/pull/32

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.5.0

Affected Functions

Version

renderdoc::api::RenderDocV110::trigger_multi_frame_capture

<0.5.0

renderdoc::api::RenderDocV120::set_capture_file_comments

<0.5.0

Description

Affected versions of this crate exposed several methods which took self by immutable reference, despite the requesting the RenderDoc API to set a mutable value internally.

This is technically unsound and calling these methods from multiple threads without synchronization could lead to unexpected and unpredictable behavior.

The flaw was corrected in release 0.5.0.

Advisory available under CC0-1.0 license.