RUSTSEC-2021-0041

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2021-0041

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0041.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2021-0041

Aliases

CAN-2021-1000007
CVE-2021-29932
GHSA-qpgv-g792-wh6x

Published

2021-03-18T12:00:00Z

Modified

2023-11-08T03:56:44.037848Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Denial of service through parsing payloads with too big exponent

Details

The parse_duration::parse function allows for parsing duration strings with exponents like 5e5s where under the hood, the BigInt type along with the pow function are used for such payloads. Passing an arbitrarily big exponent makes the parse_duration::parse function to process the payload for a very long time taking up CPU and memory.

This allows an attacker to cause a DoS if the parse_duration::parse function is used to process untrusted input.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / parse_duration

Package

Name: parse_duration; View open source insights on deps.dev
Purl: pkg:cargo/parse_duration

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "parse_duration::parse"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}