5.3
CVE-2020-26235
- EPSS 1.88%
- Veröffentlicht 24.11.2020 22:15:11
- Zuletzt bearbeitet 21.11.2024 05:19:36
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSegmentation fault in Rust time crate
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Time Project ≫ Time Version >= 0.2.7 < 0.2.23
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.88% | 0.767 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:N/A:P
|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-476 NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
https://crates.io/crates/time/0.2.23
https://github.com/time-rs/time/issues/293
https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396