CVE-2020-26235 — NULL Pointer Dereference in Project Time

CWE-476 — NULL Pointer Dereference9 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.6%

top 29.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Time Project Time Time-rs Time

Timeline

PublishedNov 24

Latest updateFeb 11

Description

In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

▶NVDtime_project/time0.2.7 — 0.2.23

▶crates.iotime_project/time0.0.0-0 — 0.2.0+9

▶CVEListV5time-rs/time>= 0.2.7, <0.2.23

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Chrono has potential segfault issue in SPIFFE authenticator↗2022-02-11

▶

OSV

Chrono has potential segfault issue in SPIFFE authenticator↗2022-02-11

▶

GHSA

Segmentation fault in time↗2021-08-25

▶

OSV

Segmentation fault in time↗2021-08-25

▶

OSV

CVE-2020-26235: In Rust time crate from version 0↗2020-11-24

▶

📋Vendor Advisories

Debian

CVE-2020-26235: rust-time - In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like opera...↗2020

▶