mvalle21 / iris Goto Github PK

Vulnerable Library - tokio-0.2.22.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.22/download

Dependency Hierarchy:

• postgis-0.7.0.crate (Root Library)
  • postgres-0.17.5.crate
    • ❌ tokio-0.2.22.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The crate 'tokio' has a data race when sending and receiving after closing a oneshot channel.
Version before 0.1.15 are not affected.
Fixed in v1.8.4 and v.1.13.1

If a tokio::sync::oneshot channel is closed (via the oneshot::Receiver::close method), a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try_recv.

When these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to cause memory corruption.

Note that the race only occurs when both halves of the channel are used after the Receiver half has called close. Code where close is not used, or where the Receiver is not awaited and try_recv is not called after calling close, is not affected.

Publish Date: 2021-11-16

URL: WS-2021-0424

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0124.html

Release Date: 2021-11-16

Fix Resolution: tokio - 1.8.4,1.13.1

Vulnerable Library - net2-0.2.35.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.35/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-0.2.22.crate
    • mio-0.6.22.crate
      • ❌ net2-0.2.35.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the net2 crate before 0.2.36 for Rust. It has false expectations about the std::net::SocketAddr memory representation.
Mend Note: Converted from WS-2020-0231, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35919

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html

Release Date: 2020-12-31

Fix Resolution: net2 - 0.2.36

Vulnerable Library - miow-0.2.1.crate

A zero overhead I/O library for Windows, focusing on IOCP and Async I/O abstractions.

Library home page: https://crates.io/api/v1/crates/miow/0.2.1/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-0.2.22.crate
    • mio-0.6.22.crate
      • ❌ miow-0.2.1.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the miow crate before 0.3.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation.
Mend Note: Converted from WS-2020-0229, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35921

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0080.html

Release Date: 2020-12-31

Fix Resolution: miow - 0.2.2,0.3.6

Vulnerable Library - lock_api-0.4.1.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.4.1/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • parking_lot-0.11.0.crate
      • ❌ lock_api-0.4.1.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of RwLockReadGuard unsoundness.
Mend Note: Converted from WS-2020-0234, on 2021-08-19.

Publish Date: 2020-12-31

URL: CVE-2020-35913

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0070.html

Release Date: 2020-12-31

Fix Resolution: 0.4.2

Vulnerable Library - lock_api-0.4.1.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.4.1/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • parking_lot-0.11.0.crate
      • ❌ lock_api-0.4.1.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of RwLockWriteGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35914

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-31

Fix Resolution: lock_api-0.4.2

Vulnerable Library - futures-util-0.3.6.crate

Common utilities and extension traits for the futures-rs library.

Library home page: https://crates.io/api/v1/crates/futures-util/0.3.6/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • futures-0.3.6.crate
      • futures-executor-0.3.6.crate
        • ❌ futures-util-0.3.6.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the futures-util crate before 0.3.7 for Rust. MutexGuard::map can cause a data race for certain closure situations (in safe code).

Publish Date: 2020-12-31

URL: CVE-2020-35905

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0059.html

Release Date: 2020-12-31

Fix Resolution: futures-util - 0.3.7

Vulnerable Library - lock_api-0.4.1.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.4.1/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • parking_lot-0.11.0.crate
      • ❌ lock_api-0.4.1.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedMutexGuard unsoundness.
Mend Note: Converted from WS-2020-0234, on 2021-08-19.

Publish Date: 2020-12-31

URL: CVE-2020-35910

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0070.html

Release Date: 2020-12-31

Fix Resolution: 0.4.2

Vulnerable Library - atty-0.2.14.crate

A simple interface for querying atty

Library home page: https://crates.io/api/v1/crates/atty/0.2.14/download

Dependency Hierarchy:

• env_logger-0.7.1.crate (Root Library)
  • ❌ atty-0.2.14.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

atty potential unaligned read

Publish Date: 2023-06-30

URL: WS-2023-0223

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - net2-0.2.35.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.35/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-0.2.22.crate
    • mio-0.6.22.crate
      • ❌ net2-0.2.35.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The net2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens. Fixed in version 0.2.36.

Publish Date: 2020-11-07

URL: WS-2020-0404

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0078.html

Release Date: 2020-11-07

Fix Resolution: net2 - 0.2.36

Vulnerable Library - lock_api-0.4.1.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.4.1/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • parking_lot-0.11.0.crate
      • ❌ lock_api-0.4.1.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedRwLockReadGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35911

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-31

Fix Resolution: lock_api-0.4.2

Vulnerable Library - lock_api-0.4.1.crate

Wrappers to create fully-featured Mutex and RwLock types. Compatible with no_std.

Library home page: https://crates.io/api/v1/crates/lock_api/0.4.1/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • parking_lot-0.11.0.crate
      • ❌ lock_api-0.4.1.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the lock_api crate before 0.4.2 for Rust. A data race can occur because of MappedRwLockWriteGuard unsoundness.

Publish Date: 2020-12-31

URL: CVE-2020-35912

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-31

Fix Resolution: lock_api-0.4.2

Vulnerable Library - net2-0.2.35.crate

Extensions to the standard library's networking types as proposed in RFC 1158.

Library home page: https://crates.io/api/v1/crates/net2/0.2.35/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-0.2.22.crate
    • mio-0.6.22.crate
      • ❌ net2-0.2.35.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the socket2 crate before 0.3.16 for Rust. It has false expectations about the std::net::SocketAddr memory representation.
Mend Note: Converted from WS-2020-0230, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35920

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-458v-4hrf-g3m4

Release Date: 2020-12-31

Fix Resolution: net2 - 0.2.36, socket2 - 0.3.16

Vulnerable Library - tokio-0.2.22.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.22/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • ❌ tokio-0.2.22.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.
Mend Note: Converted from WS-2021-0424, on 2022-11-07.

Publish Date: 2021-12-27

URL: CVE-2021-45710

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0124.html

Release Date: 2021-12-27

Fix Resolution: tokio - 1.8.4,1.13.1

Vulnerable Library - json-20200518.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to vulnerable library: /lib/json-20200518.jar

Dependency Hierarchy:

• ❌ json-20200518.jar (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Publish Date: 2022-12-13

URL: CVE-2022-45688

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3vqj-43w4-2q58

Release Date: 2022-12-13

Fix Resolution: 20230227

Vulnerable Library - futures-util-0.3.6.crate

Common utilities and extension traits for the futures-rs library.

Library home page: https://crates.io/api/v1/crates/futures-util/0.3.6/download

Dependency Hierarchy:

• postgis-0.7.0.crate (Root Library)
  • postgres-0.17.5.crate
    • tokio-postgres-0.5.5.crate
      • futures-0.3.6.crate
        • futures-executor-0.3.6.crate
          • ❌ futures-util-0.3.6.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

Affected versions of futures-rs had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U.

This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T.

The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too.

This is affecting future-rs 0.3.2 through 0.3.6 and fixed in futures-rs 0.3.7 onwards.

Publish Date: 2020-11-02

URL: WS-2020-0189

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: rust-lang/futures-rs#2239

Release Date: 2020-11-02

Fix Resolution: 0.3.7

Vulnerable Library - smallvec-1.4.2.crate

'Small vector' optimization: store up to a small number of items on the stack

Library home page: https://crates.io/api/v1/crates/smallvec/1.4.2/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-postgres-0.5.5.crate
    • parking_lot-0.11.0.crate
      • parking_lot_core-0.8.0.crate
        • ❌ smallvec-1.4.2.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
Mend Note: Converted from WS-2021-0002, on 2021-02-01.

Publish Date: 2021-01-26

URL: CVE-2021-25900

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-43w2-9j62-hq99

Release Date: 2021-01-26

Fix Resolution: 0.6.14;1.6.1

Vulnerable Library - tokio-0.2.22.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.22/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • ❌ tokio-0.2.22.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

A soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.

Publish Date: 2023-02-02

URL: WS-2023-0027

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2023-0005.html

Release Date: 2023-02-02

Fix Resolution: tokio - 1.18.5,1.20.4,1.24.2

Vulnerable Library - tokio-0.2.22.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.22/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • ❌ tokio-0.2.22.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that pipe_mode is set first after initializing a ServerOptions.

Publish Date: 2023-01-04

URL: CVE-2023-22466

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7rrj-xr53-82p7

Release Date: 2023-01-04

Fix Resolution: tokio - 1.18.4,1.20.3,1.23.1

Vulnerable Library - mio-0.6.22.crate

Lightweight non-blocking IO

Library home page: https://crates.io/api/v1/crates/mio/0.6.22/download

Dependency Hierarchy:

• postgres-0.17.5.crate (Root Library)
  • tokio-0.2.22.crate
    • ❌ mio-0.6.22.crate (Vulnerable Library)

Found in HEAD commit: f5ba21d0a4068619df7211588d4398145fe3eff3

Found in base branch: master

Vulnerability Details

An issue was discovered in the mio crate before 0.7.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation.
Mend Note: Converted from WS-2020-0225, on 2021-01-19.

Publish Date: 2020-12-31

URL: CVE-2020-35922

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2020-0081.html

Release Date: 2020-12-31

Fix Resolution: 0.7.6