Reported

December 31, 2020

Issued

January 20, 2021 (last modified: June 13, 2023)

Package

autorand (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• CVE-2020-36210
• GHSA-cgmg-2v6m-fjg7

References

• https://github.com/mersinvald/autorand-rs/issues/5

CVSS Score

7.8 HIGH

CVSS Details

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.2.3

Description

Affected versions of this crate had a panic safety issue to drop partially uninitialized array of T upon panic in a user provided function T::random(). Dropping uninitialized T can potentially cause memory corruption or undefined behavior.

The flaw was corrected in commit 565d508 by using MaybeUninit<T> to avoid possible dropping of uninitialized memory upon panic.

Advisory available under CC0-1.0 license.