7.5
CVE-2023-28448
- EPSS 0.56%
- Veröffentlicht 24.03.2023 20:15:15
- Zuletzt bearbeitet 21.11.2024 07:55:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginVersionize is lacking bound checks, potentially leading to out of bounds memory access
Versionize is a framework for version tolerant serializion/deserialization of Rust data structures, designed for usecases that need fast deserialization times and minimal size overhead. An issue was discovered in the ‘Versionize::deserialize’ implementation provided by the ‘versionize’ crate for ‘vmm_sys_utils::fam::FamStructWrapper', which can lead to out of bounds memory accesses. The impact started with version 0.1.1. The issue was corrected in version 0.1.10 by inserting a check that verifies, for any deserialized header, the lengths of compared flexible arrays are equal and aborting deserialization otherwise.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Versionize Project ≫ Versionize SwPlatformrust Version >= 0.1.1 < 0.1.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.419 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 5.7 | 2.5 | 2.7 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
|
CWE-125 Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
https://github.com/firecracker-microvm/versionize/commit/a57a051ba006cfa3b41a0532f484df759e008d47
https://github.com/firecracker-microvm/versionize/pull/53
https://github.com/firecracker-microvm/versionize/security/advisories/GHSA-8vxc-r5wp-vgvc