RUSTSEC-2022-0030

Source

https://rustsec.org/advisories/RUSTSEC-2022-0030

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0030.json

Aliases

CVE-2022-31099
GHSA-v78m-2q7v-fjqp

Published

2022-05-21T12:00:00Z

Modified

2023-11-08T04:09:25.959683Z

Details

When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately.

The flaw was corrected in commits 60aa2dc03a by adding a check to recursion depth.

References

https://crates.io/crates/rulex
https://rustsec.org/advisories/RUSTSEC-2022-0030.html
https://github.com/rulex-rs/rulex/security/advisories/GHSA-v78m-2q7v-fjqp

Affected packages

crates.io / rulex

Package

Name: rulex

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.4.3

Ecosystem specific

{
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}