My repo for Advent Of Code
Home Page: https://adventofcode.com/
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - xtask-0.1.0.crate
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (xtask version) | Remediation Available |
|---|---|---|---|---|---|---|
| WS-2023-0027 |  High |
9.8 | tokio-1.21.1.crate | Transitive | N/A* | |
| CVE-2023-22466 |  Medium |
5.4 | tokio-1.21.1.crate | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
WS-2023-0027An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/1.21.1/download
Dependency Hierarchy:
Found in base branch: main
A soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.
Publish Date: 2023-02-02
URL: WS-2023-0027
Base Score Metrics:
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2023-0005.html
Release Date: 2023-02-02
Fix Resolution: tokio - 1.18.5,1.20.4,1.24.2
Step up your Open Source Security Game with Mend here
CVE-2023-22466An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://crates.io/api/v1/crates/tokio/1.21.1/download
Dependency Hierarchy:
Found in base branch: main
Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that pipe_mode is set first after initializing a ServerOptions.
Publish Date: 2023-01-04
URL: CVE-2023-22466
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7rrj-xr53-82p7
Release Date: 2023-01-04
Fix Resolution: tokio - 1.18.4,1.20.3,1.23.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - bumpalo-3.9.1.crateA fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.9.1/download
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (bumpalo version) | Remediation Available |
|---|---|---|---|---|---|---|
| WS-2023-0006 | High |
9.8 | bumpalo-3.9.1.crate | Direct | bumpalo - 3.11.1 |
WS-2023-0006A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.9.1/download
Dependency Hierarchy:
Found in base branch: main
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Publish Date: 2023-01-14
URL: WS-2023-0006
Base Score Metrics:
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Release Date: 2023-01-14
Fix Resolution: bumpalo - 3.11.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - smallvec-0.6.14.crate'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Found in HEAD commit: 37a1914151da9b6a8e6a517fd572741380f267ec
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (smallvec version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-25900 | High |
9.8 | smallvec-0.6.14.crate | Direct | 0.6.14;1.6.1 | |
| CVE-2018-25023 | High |
7.5 | smallvec-0.6.14.crate | Direct | smallvec - 0.6.13 |
CVE-2021-25900'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Dependency Hierarchy:
Found in HEAD commit: 37a1914151da9b6a8e6a517fd572741380f267ec
Found in base branch: main
An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
Publish Date: 2021-01-26
URL: CVE-2021-25900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43w2-9j62-hq99
Release Date: 2021-01-26
Fix Resolution: 0.6.14;1.6.1
Step up your Open Source Security Game with Mend here
CVE-2018-25023'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Dependency Hierarchy:
Found in HEAD commit: 37a1914151da9b6a8e6a517fd572741380f267ec
Found in base branch: main
An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.
Publish Date: 2021-12-27
URL: CVE-2018-25023
Base Score Metrics:
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2018-0018.html
Release Date: 2021-12-27
Fix Resolution: smallvec - 0.6.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - aoc_2015-0.1.0
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (aoc_2015 version) | Remediation Available |
|---|---|---|---|---|---|---|
| WS-2023-0006 | High |
9.8 | bumpalo-3.11.0.crate | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
WS-2023-0006A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.11.0/download
Dependency Hierarchy:
Found in base branch: main
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Publish Date: 2023-01-14
URL: WS-2023-0006
Base Score Metrics:
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Release Date: 2023-01-14
Fix Resolution: bumpalo - 3.11.1
Step up your Open Source Security Game with Mend here
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-25900 | High |
9.8 | smallvec-0.6.14.crate | Transitive | N/A | |
| CVE-2018-25023 | High |
7.5 | smallvec-0.6.14.crate | Transitive | N/A |
CVE-2021-25900'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Dependency Hierarchy:
Found in HEAD commit: ec4ac667443491bb984af30cc4cdbf9787149a61
Found in base branch: main
An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
Publish Date: 2021-01-26
URL: CVE-2021-25900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43w2-9j62-hq99
Release Date: 2021-01-26
Fix Resolution: 0.6.14;1.6.1
Step up your Open Source Security Game with Mend here
CVE-2018-25023'Small vector' optimization: store up to a small number of items on the stack
Library home page: https://crates.io/api/v1/crates/smallvec/0.6.14/download
Dependency Hierarchy:
Found in HEAD commit: ec4ac667443491bb984af30cc4cdbf9787149a61
Found in base branch: main
An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.
Publish Date: 2021-12-27
URL: CVE-2018-25023
Base Score Metrics:
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2018-0018.html
Release Date: 2021-12-27
Fix Resolution: smallvec - 0.6.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - criterion-0.3.5.crate
Found in HEAD commit: ec4ac667443491bb984af30cc4cdbf9787149a61
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-23639 | High |
8.1 | crossbeam-utils-0.8.5.crate | Transitive | N/A |
CVE-2022-23639Utilities for concurrent programming
Library home page: https://crates.io/api/v1/crates/crossbeam-utils/0.8.5/download
Dependency Hierarchy:
Found in HEAD commit: ec4ac667443491bb984af30cc4cdbf9787149a61
Found in base branch: main
crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of {i,u}64 was always the same as Atomic{I,U}64. However, the alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64. This can cause unaligned memory accesses and data race. Crates using fetch_* methods with AtomicCell<{i,u}64> are affected by this issue. 32-bit targets without Atomic{I,U}64 and 64-bit targets are not affected by this issue. This has been fixed in crossbeam-utils 0.8.7. There are currently no known workarounds.
Publish Date: 2022-02-15
URL: CVE-2022-23639
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qc84-gqf4-9926
Release Date: 2022-02-15
Fix Resolution: crossbeam-utils - 0.8.7
Step up your Open Source Security Game with WhiteSource here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
