RUSTSEC-2020-0033

Matrix::new() drops uninitialized memory

Reported

August 25, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

alg_ds (crates.io)

Type

Vulnerability

Aliases

CVE-2020-36432
GHSA-3vv3-frrq-6486

References

https://gitlab.com/dvshapkin/alg-ds/-/issues/1

CVSS Score

9.8 CRITICAL

CVSS Details

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

Matrix::new() internally calls Matrix::fill_with() which uses *ptr = value pattern to initialize the buffer. This pattern assumes that there is an initialized struct at the address and drops it, which results in dropping of uninitialized struct.

Advisory available under CC0-1.0 license.