You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
WS-2023-0045
Vulnerable Library - remove_dir_all-0.5.3.crate
A safe, reliable implementation of remove_dir_all for Windows
The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.
mend-bolt-for-githubbot
changed the title
tokio-tungstenite-0.19.0.crate: 4 vulnerabilities (highest severity is: 9.1)
tokio-tungstenite-0.19.0.crate: 4 vulnerabilities (highest severity is: 9.1) - autoclosed
Jun 12, 2023
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - tokio-tungstenite-0.19.0.crate
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
WS-2023-0045
Vulnerable Library - remove_dir_all-0.5.3.crate
A safe, reliable implementation of remove_dir_all for Windows
Library home page: https://crates.io/api/v1/crates/remove_dir_all/0.5.3/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.
Publish Date: 2023-02-24
URL: WS-2023-0045
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-mc8h-8q98-g5hr
Release Date: 2023-02-24
Fix Resolution: remove_dir_all - 0.8.0
Step up your Open Source Security Game with Mend here
WS-2023-0082
Vulnerable Libraries - openssl-sys-0.9.80.crate, openssl-0.10.45.crate
openssl-sys-0.9.80.crate
FFI bindings to OpenSSL
Library home page: https://crates.io/api/v1/crates/openssl-sys/0.9.80/download
Dependency Hierarchy:
openssl-0.10.45.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.45/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
X509NameBuilder::build
returned object is not thread safePublish Date: 2023-03-25
URL: WS-2023-0082
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3gxf-9r58-2ghg
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Step up your Open Source Security Game with Mend here
WS-2023-0081
Vulnerable Libraries - openssl-sys-0.9.80.crate, openssl-0.10.45.crate
openssl-sys-0.9.80.crate
FFI bindings to OpenSSL
Library home page: https://crates.io/api/v1/crates/openssl-sys/0.9.80/download
Dependency Hierarchy:
openssl-0.10.45.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.45/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
X509Extension::new
andX509Extension::new_nid
null pointer dereferencePublish Date: 2023-03-25
URL: WS-2023-0081
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6hcf-g6gr-hhcr
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Step up your Open Source Security Game with Mend here
WS-2023-0083
Vulnerable Libraries - openssl-sys-0.9.80.crate, openssl-0.10.45.crate
openssl-sys-0.9.80.crate
FFI bindings to OpenSSL
Library home page: https://crates.io/api/v1/crates/openssl-sys/0.9.80/download
Dependency Hierarchy:
openssl-0.10.45.crate
OpenSSL bindings
Library home page: https://crates.io/api/v1/crates/openssl/0.10.45/download
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
openssl
SubjectAlternativeName
andExtendedKeyUsage::other
allow arbitrary file readPublish Date: 2023-03-25
URL: WS-2023-0083
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9qwg-crg9-m2vc
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: