CVE-2020-35916 (Medium) detected in image-0.21.3.crate, image-0.22.5.crate

[mend-bolt-for-github]

CVE-2020-35916 - Medium Severity Vulnerability

Vulnerable Libraries - image-0.21.3.crate, image-0.22.5.crate

image-0.21.3.crate

Imaging library written in Rust. Provides basic filters and decoders for the most common image formats.

Library home page: https://crates.io/api/v1/crates/image/0.21.3/download

Dependency Hierarchy:

• amethyst-0.15.3.crate (Root Library)
  • amethyst_window-0.15.3.crate
    • winit-0.19.5.crate
      • ❌ image-0.21.3.crate (Vulnerable Library)

image-0.22.5.crate

Imaging library written in Rust. Provides basic filters and decoders for the most common image formats.

Library home page: https://crates.io/api/v1/crates/image/0.22.5/download

Dependency Hierarchy:

• amethyst-0.15.3.crate (Root Library)
  • amethyst_ui-0.15.3.crate
    • amethyst_rendy-0.15.3.crate
      • rendy-0.4.1.crate
        • rendy-texture-0.4.1.crate
          • ❌ image-0.22.5.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the image crate before 0.23.12 for Rust. A Mutable reference has immutable provenance. (In the case of LLVM, the IR may be always correct.)

Publish Date: 2020-12-31

URL: CVE-2020-35916

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0073.html

Release Date: 2020-12-31

Fix Resolution: 0.23.12

---

Step up your Open Source Security Game with Mend here