Reported

January 2, 2021

Issued

January 20, 2021 (last modified: June 13, 2023)

Package

bra (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Aliases

• CVE-2021-25905
• GHSA-j8qq-58cr-8cc7

References

• https://github.com/Enet4/bra-rs/issues/1

CVSS Score

9.1 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Patched

• >=0.1.1

Description

Affected versions of this crate creates an uninitialized buffer and passes it to user-provided Read implementation.

This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).

The flaw was corrected in version 0.1.1 by zero-initializing a newly allocated buffer before handing it to a user-provided Read implementation.

Advisory available under CC0-1.0 license.