HistoryEdit

RUSTSEC-2021-0122

Generated code can read and write out of bounds in safe code

Issued
Package
flatbuffers (crates.io)
Type
Vulnerability
Details
https://github.com/google/flatbuffers/issues/6627
CVSS Score
9.8 CRITICAL
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
no patched versions

Description

Code generated by flatbuffers' compiler is unsafe but not marked as such. See https://github.com/google/flatbuffers/issues/6627 for details.

All users that use generated code by flatbuffers compiler are recommended to:

  1. not expose flatbuffer generated code as part of their public APIs
  2. audit their code and look for any usage of follow, push, or any method that uses them (e.g. self_follow).
  3. Carefuly go through the crates' documentation to understand which "safe" APIs are not intended to be used.