GHSA-w7j2-35mf-95p7

Suggest an improvement
Source
https://github.com/advisories/GHSA-w7j2-35mf-95p7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-w7j2-35mf-95p7/GHSA-w7j2-35mf-95p7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w7j2-35mf-95p7
Aliases
Published
2021-08-25T20:52:16Z
Modified
2023-11-08T04:05:24.551510Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Incorrect check on buffer length in rand_core
Details

An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. The vulnerability was introduced in v0.6.0. The advisory doesn't apply to earlier minor version numbers.

Because readu32into and readu64into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.

Database specific
{
    "nvd_published_at": "2021-02-18T04:15:00Z",
    "cwe_ids": [
        "CWE-330"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T17:35:01Z"
}
References

Affected packages

crates.io / rand_core

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.6.0
Fixed
0.6.2

Ecosystem specific

{
    "affected_functions": [
        "rand_core::le::read_u32_into",
        "rand_core::le::read_u64_into"
    ]
}