CVE-2021-26305 - OpenCVE

An issue was discovered in Deserializer::read_vec in the cdr crate before 0.2.4 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated heap memory, violating soundness.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Cdr Project	Cdr

Configuration 1 [-]

cpe:2.3:a:cdr_project:cdr:*:*:*:*:*:rust:*:*

References

Link	Resource
https://rustsec.org/advisories/RUSTSEC-2021-0012.html	Exploit Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-29T02:27:42

Updated: 2021-01-29T02:27:42

Reserved: 2021-01-29T00:00:00

Link: CVE-2021-26305

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-29T03:15:12.363

Modified: 2021-02-04T17:45:38.520

Link: CVE-2021-26305

JSON object: View

Redhat Information

No data.

CWE

CWE-908

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cdr_project:cdr:*:*:*:*:*:rust:*:*", "matchCriteriaId": "EDCC330D-F564-4399-9856-704C5C8181B8", "versionEndExcluding": "0.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Deserializer::read_vec in the cdr crate before 0.2.4 for Rust. A user-provided Read implementation can gain access to the old contents of newly allocated heap memory, violating soundness."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la funci\u00f3n Deserializer::read_vec en la crate cdr versiones anteriores a 0.2.4 para Rust. Una implementaci\u00f3n de Lectura proporcionada por el usuario puede conseguir acceso a los contenidos antiguos de la memoria de pila reci\u00e9n asignada, violando la solidez"}], "id": "CVE-2021-26305", "lastModified": "2021-02-04T17:45:38.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-29T03:15:12.363", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://rustsec.org/advisories/RUSTSEC-2021-0012.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}