CVE-2020-15254 - OpenCVE

Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Crossbeam Project	Crossbeam

Configuration 1 [-]

cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/RustSec/advisory-db/pull/425	Patch Third Party Advisory
https://github.com/crossbeam-rs/crossbeam/issues/539	Exploit Third Party Advisory
https://github.com/crossbeam-rs/crossbeam/pull/533	Exploit Patch Third Party Advisory
https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-10-16T17:05:24

Updated: 2020-10-16T17:05:23

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15254

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-16T17:15:12.057

Modified: 2022-08-05T19:30:49.067

Link: CVE-2020-15254

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "crossbeam", "vendor": "crossbeam-rs", "versions": [{"status": "affected", "version": "< 0.4.4"}]}], "descriptions": [{"lang": "en", "value": "Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "{\"CWE-119\":\"Improper Restriction of Operations within the Bounds of a Memory Buffer\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-16T17:05:23", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/crossbeam-rs/crossbeam/issues/539"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/crossbeam-rs/crossbeam/pull/533"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/RustSec/advisory-db/pull/425"}], "source": {"advisory": "GHSA-v5m7-53cv-f3hx", "discovery": "UNKNOWN"}, "title": "Undefined Behavior in bounded Crossbeam channel", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15254", "STATE": "PUBLIC", "TITLE": "Undefined Behavior in bounded Crossbeam channel"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "crossbeam", "version": {"version_data": [{"version_value": "< 0.4.4"}]}}]}, "vendor_name": "crossbeam-rs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-119\":\"Improper Restriction of Operations within the Bounds of a Memory Buffer\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx", "refsource": "CONFIRM", "url": "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx"}, {"name": "https://github.com/crossbeam-rs/crossbeam/issues/539", "refsource": "MISC", "url": "https://github.com/crossbeam-rs/crossbeam/issues/539"}, {"name": "https://github.com/crossbeam-rs/crossbeam/pull/533", "refsource": "MISC", "url": "https://github.com/crossbeam-rs/crossbeam/pull/533"}, {"name": "https://github.com/RustSec/advisory-db/pull/425", "refsource": "MISC", "url": "https://github.com/RustSec/advisory-db/pull/425"}]}, "source": {"advisory": "GHSA-v5m7-53cv-f3hx", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15254", "datePublished": "2020-10-16T17:05:24", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-10-16T17:05:23", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*", "matchCriteriaId": "88240C4C-2AB0-4B8F-8CC8-371F77E60B96", "versionEndExcluding": "0.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that `Vec::from_iter` has allocated capacity that same as the number of iterator elements. `Vec::from_iter` does not actually guarantee that and may allocate extra memory. The destructor of the `bounded` channel reconstructs `Vec` from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity when `Vec::from_iter` has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4."}, {"lang": "es", "value": "Crossbeam es un conjunto de herramientas para programaci\u00f3n concurrente. En crossbeam-channel versiones anteriores a 0.4.4, el canal acotado asume inapropiadamente que \"Vec::from_iter\" ha asignado una capacidad igual a la cantidad de elementos iteradores. \"Vec::from_iter\" en realidad no garantiza eso y puede asignar memoria extra. El destructor del canal \"bounded\" reconstruye \"Vec\" a partir del puntero sin procesar bas\u00e1ndose en los supuestos incorrectos descritos anteriormente. Esto no es correcto y causa una desasignaci\u00f3n con la capacidad incorrecta cuando \"VVec::from_iter\" ha asignado diferentes tama\u00f1os con el n\u00famero de elementos del iterador. Esto ha sido corregido en crossbeam-channel versi\u00f3n 0.4.4"}], "id": "CVE-2020-15254", "lastModified": "2022-08-05T19:30:49.067", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-10-16T17:15:12.057", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/RustSec/advisory-db/pull/425"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/crossbeam-rs/crossbeam/issues/539"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/crossbeam-rs/crossbeam/pull/533"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-v5m7-53cv-f3hx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "security-advisories@github.com", "type": "Secondary"}]}