GHSA-w7j2-35mf-95p7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w7j2-35mf-95p7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-w7j2-35mf-95p7/GHSA-w7j2-35mf-95p7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w7j2-35mf-95p7
- Aliases
- Published
- 2021-08-25T20:52:16Z
- Modified
- 2023-11-08T04:05:24.551510Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Incorrect check on buffer length in rand_core
- Details
-
An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because
read_u32_intoandread_u64_intomishandle certain buffer-length checks, a random number generator may be seeded with too little data. The vulnerability was introduced in v0.6.0. The advisory doesn't apply to earlier minor version numbers.Because readu32into and readu64into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-27378
- https://github.com/rust-random/rand/pull/1096
- https://github.com/rust-random/rand
- https://github.com/rust-random/rand/compare/0.6.0...rand_core-0.6.2#diff-f41b3dfa5ce28f3bee390d327c50621e141cf3569921f8e9ca15ccfcf25263a9R19
- https://github.com/rust-random/rand/compare/0.6.0...rand_core-0.6.2#diff-f41b3dfa5ce28f3bee390d327c50621e141cf3569921f8e9ca15ccfcf25263a9R28
- https://rustsec.org/advisories/RUSTSEC-2021-0023.html
Affected packages
crates.io / rand_core
Package
- Name
- rand_core
- View open source insights on deps.dev
- Purl
- pkg:cargo/rand_core