RUSTSEC-2019-0025

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2019-0025
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2019-0025.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2019-0025
Aliases
Published
2019-10-03T12:00:00Z
Modified
2023-11-08T04:01:31.918814Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Flaw in CBOR deserializer allows stack overflow
Details

Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization.

This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow.

The flaw was corrected by limiting the allowed number of nested tags.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / serde_cbor

Package

Name
serde_cbor
View open source insights on deps.dev
Purl
pkg:cargo/serde_cbor

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.10.2

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific 

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "crypto-failure"
    ]
}