Skip to content

WS-2023-0049 (High) detected in ascii-0.8.7.crate #409

New issue
New issue
Open
Open
WS-2023-0049 (High) detected in ascii-0.8.7.crate#409
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Mar 3, 2023

WS-2023-0049 - High Severity Vulnerability

Vulnerable Library - ascii-0.8.7.crate

ASCII-only equivalents to `char`, `str` and `String`.

Library home page: https://crates.io/api/v1/crates/ascii/0.8.7/download

Dependency Hierarchy:

  • multipart-0.18.0.crate (Root Library)
    • tiny_http-0.6.4.crate
      • ascii-0.8.7.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

Ascii (crate) allows out-of-bounds array indexing in safe code.
Affected version of this crate had implementation of From<&mut AsciiStr> for &mut [u8] and &mut str. This can result in out-of-bounds array indexing in safe code.

Publish Date: 2023-03-28

URL: WS-2023-0049

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mrrw-grhq-86gf

Release Date: 2023-03-28

Fix Resolution: ascii - 0.9.3

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions