bumpalo-3.9.1.crate: 1 vulnerabilities (highest severity is: 9.8) #8
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
|
Fixed as well in 51bc7d4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.9.1/download
Vulnerabilities
Details
Vulnerable Library - bumpalo-3.9.1.crate
A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.9.1/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Publish Date: 2023-01-14
URL: WS-2023-0006
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Release Date: 2023-01-14
Fix Resolution: bumpalo - 3.11.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: