RUSTSEC-2018-0006

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2018-0006
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2018-0006.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2018-0006
Aliases
Published
2018-09-17T12:00:00Z
Modified
2023-11-08T04:00:13.493088Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Uncontrolled recursion leads to abort in deserialization
Details

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / yaml-rust

Package

Name
yaml-rust
View open source insights on deps.dev
Purl
pkg:cargo/yaml-rust

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.4.1

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific 

{
    "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": []
}