RUSTSEC-2019-0001

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2019-0001

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2019-0001.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2019-0001

Aliases

Published

2019-04-27T12:00:00Z

Modified

2023-11-08T04:01:13.675058Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Uncontrolled recursion leads to abort in HTML serialization

Details

Affected versions of this crate did use recursion for serialization of HTML DOM trees.

This allows an attacker to cause abort due to stack overflow by providing a pathologically nested input.

The flaw was corrected by serializing the DOM tree iteratively instead.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / ammonia

Package

Name: ammonia; View open source insights on deps.dev
Purl: pkg:cargo/ammonia

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

2.1.0

Ecosystem specific

{
    "affects": {
        "arch": [],
        "os": [],
        "functions": [
            "ammonia::Document::to_string",
            "ammonia::Document::write_to",
            "ammonia::clean"
        ]
    },
    "affected_functions": null
}

Database specific

informational

null

cvss

"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"