CVE-2020-36323

CWE-134 — Uncontrolled Format String CWE-20 — Improper Input Validation7 documents7 sources

Severity

8.2HIGH

EPSS

0.7%

top 27.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rust-lang Rust Fedoraproject Fedora

Timeline

PublishedApr 14

Latest updateMay 24

Description

In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶NVDrust-lang/rust< 1.52.0

▶Debianrustc< 1.53.0+dfsg1-1+2

Also affects: Fedora 32, 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-9v8g-q8xx-7374: In the standard library in Rust before 1↗2022-05-24

▶

CVEList

CVE-2020-36323: In the standard library in Rust before 1↗2021-04-14

▶

OSV

CVE-2020-36323: In the standard library in Rust before 1↗2021-04-14

▶

📋Vendor Advisories

Microsoft

In the standard library in Rust before 1.52.0 there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes aft↗2021-04-13

▶

Red Hat

rust: optimization for joining strings can cause uninitialized bytes to be exposed↗2020-12-23

▶

Debian

CVE-2020-36323: rustc - In the standard library in Rust before 1.52.0, there is an optimization for join...↗2020

▶