Reported

January 31, 2021

Issued

April 2, 2021 (last modified: June 13, 2023)

Package

outer_cgi (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Aliases

• CVE-2021-30454
• GHSA-6vmq-jh76-hq43

References

• https://github.com/SolraBizna/outer_cgi/issues/1

CVSS Score

9.8 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.2.1

Description

The KeyValueReader type in affected versions of this crate set up an uninitialized memory buffer and passed them to be read in to a user-provided Read instance.

The Read instance could read uninitialized memory and cause undefined behavior and miscompilations.

This issue was fixed in commit dd59b30 by zero-initializing the buffers before passing them.

Advisory available under CC0-1.0 license.