GHSA-jf5h-cf95-w759
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jf5h-cf95-w759
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-jf5h-cf95-w759/GHSA-jf5h-cf95-w759.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jf5h-cf95-w759
- Aliases
-
- CVE-2021-45687
- GHSA-w428-f65r-h4q2
- RUSTSEC-2021-0089
- Published
- 2022-06-17T00:16:24Z
- Modified
- 2023-11-08T04:07:21.872047Z
- Summary
- Optional `Deserialize` implementations lacking validation
- Details
-
When activating the non-default feature
serialize, most structs implementserde::Deserializewithout sufficient validation. This allows breaking invariants in safe code, leading to:- Undefined behavior in
as_string()methods (which usestd::str::from_utf8_unchecked()internally). - Panics due to failed assertions.
See https://github.com/gz/rust-cpuid/issues/43.
- Undefined behavior in
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2022-06-17T00:16:24Z", "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
crates.io / raw-cpuid
Package
- Name
- raw-cpuid
- View open source insights on deps.dev
- Purl
- pkg:cargo/raw-cpuid