HistoryEdit

RUSTSEC-2019-0036

Type confusion if private_get_type_id is overridden

Reported
Issued
Package
failure (crates.io)
Type
INFO Unsound
Keywords
#unsound
Aliases
Details
https://github.com/rust-lang-nursery/failure/issues/336
CVSS Score
9.8 CRITICAL
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
no patched versions
Affected Functions
Version
failure::Fail::__private_get_type_id__
  • >=0.1.0

Description

Safe Rust code can implement malfunctioning __private_get_type_id__ and cause type confusion when downcasting, which is an undefined behavior.

Users who derive Fail trait are not affected.