Reported

November 29, 2020

Issued

November 29, 2020 (last modified: June 13, 2023)

Package

branca (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#decoding #panic #untrusted-data

Aliases

• CVE-2020-35918
• GHSA-c9rv-3jmq-527w

References

• https://github.com/return/branca/issues/24

CVSS Score

5.5 MEDIUM

CVSS Details

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.10.0

Affected Functions

Version

branca::Branca::decode

• <0.10.0

branca::decode

• <0.10.0

Description

Prior to 0.10.0 it was possible to have both decoding functions panic unexpectedly, by supplying tokens with an incorrect base62 encoding.

The documentation stated that an error should have been reported instead.

Advisory available under CC0-1.0 license.