sentry-0.27.0.crate: 11 vulnerabilities (highest severity is: 9.8) #607
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tokio-1.21.2.crate
An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://static.crates.io/crates/tokio/tokio-1.21.2.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
A soundness issue was discovered in tokio. tokio::io::ReadHalf::unsplit can violate the Pin contract. Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The tokio feature io-util is also required to be enabled to trigger this soundness issue.
Publish Date: 2024-11-03
URL: WS-2023-0027
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2023-0005.html
Release Date: 2023-02-02
Fix Resolution: tokio - 1.18.5,1.20.4,1.24.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - openssl-0.10.42.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.42.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
opensslX509VerifyParamRef::set_hostbuffer over-readPublish Date: 2024-11-03
URL: WS-2023-0195
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xcf7-rvmh-g6q4
Release Date: 2023-06-22
Fix Resolution: openssl - 0.10.55
Step up your Open Source Security Game with Mend here
Vulnerable Library - remove_dir_all-0.5.3.crate
A safe, reliable implementation of remove_dir_all for Windows
Library home page: https://crates.io/api/v1/crates/remove_dir_all/0.5.3/download
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.
Publish Date: 2024-11-21
URL: WS-2023-0045
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mc8h-8q98-g5hr
Release Date: 2023-02-24
Fix Resolution: remove_dir_all - 0.8.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - openssl-0.10.42.crate, openssl-sys-0.9.77.crate
openssl-0.10.42.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.42.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
openssl-sys-0.9.77.crate
FFI bindings to OpenSSL
Library home page: https://static.crates.io/crates/openssl-sys/openssl-sys-0.9.77.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
opensslSubjectAlternativeNameandExtendedKeyUsage::otherallow arbitrary file readPublish Date: 2024-11-03
URL: WS-2023-0083
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9qwg-crg9-m2vc
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - openssl-0.10.42.crate, openssl-sys-0.9.77.crate
openssl-0.10.42.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.42.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
openssl-sys-0.9.77.crate
FFI bindings to OpenSSL
Library home page: https://static.crates.io/crates/openssl-sys/openssl-sys-0.9.77.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
opensslX509NameBuilder::buildreturned object is not thread safePublish Date: 2024-11-03
URL: WS-2023-0082
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3gxf-9r58-2ghg
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - openssl-0.10.42.crate, openssl-sys-0.9.77.crate
openssl-0.10.42.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.42.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
openssl-sys-0.9.77.crate
FFI bindings to OpenSSL
Library home page: https://static.crates.io/crates/openssl-sys/openssl-sys-0.9.77.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
opensslX509Extension::newandX509Extension::new_nidnull pointer dereferencePublish Date: 2024-11-03
URL: WS-2023-0081
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6hcf-g6gr-hhcr
Release Date: 2023-03-25
Fix Resolution: openssl - 0.10.48
Step up your Open Source Security Game with Mend here
Vulnerable Library - mio-0.8.5.crate
Lightweight non-blocking I/O.
Library home page: https://static.crates.io/crates/mio/mio-0.8.5.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free. For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio. The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected. This vulnerability has been fixed in mio v0.8.11. All versions of mio between v0.7.2 and v0.8.10 are vulnerable. Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable. Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.
Publish Date: 2024-03-06
URL: CVE-2024-27308
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r8w9-5wcg-vfj7
Release Date: 2024-03-06
Fix Resolution: mio - 0.8.11
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - hyper-0.14.22.crate, h2-0.3.15.crate
hyper-0.14.22.crate
A protective and efficient HTTP library for all.
Library home page: https://static.crates.io/crates/hyper/hyper-0.14.22.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
h2-0.3.15.crate
An HTTP/2 client and server
Library home page: https://static.crates.io/crates/h2/h2-0.3.15.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Publish Date: 2023-04-11
URL: CVE-2023-26964
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f8vr-r385-rh5r
Release Date: 2023-04-11
Fix Resolution: h2 - 0.3.17
Step up your Open Source Security Game with Mend here
Vulnerable Library - tokio-1.21.2.crate
An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Library home page: https://static.crates.io/crates/tokio/tokio-1.21.2.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting
pipe_modewill resetreject_remote_clientstofalse. If the application has previously configuredreject_remote_clientstotrue, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure thatpipe_modeis set first after initializing aServerOptions.Publish Date: 2023-01-04
URL: CVE-2023-22466
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7rrj-xr53-82p7
Release Date: 2023-01-04
Fix Resolution: tokio - 1.18.4,1.20.3,1.23.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - openssl-0.10.42.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.42.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions "ssl::select_next_proto" can return a slice pointing into the "server" argument's buffer but with a lifetime bound to the "client" argument. In situations where the "sever" buffer's lifetime is shorter than the "client" buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate"openssl" version 0.10.70 fixes the signature of "ssl::select_next_proto" to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of "ssl::select_next_proto" in the callback passed to "SslContextBuilder::set_alpn_select_callback", code is only affected if the "server" buffer is constructed within the callback.
Publish Date: 2025-02-03
URL: CVE-2025-24898
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-02-03
Fix Resolution: openssl - 0.10.70
Step up your Open Source Security Game with Mend here
Vulnerable Library - idna-0.3.0.crate
IDNA (Internationalizing Domain Names in Applications) and Punycode.
Library home page: https://static.crates.io/crates/idna/idna-0.3.0.crate
Path to dependency file: /source/native-addon-rust/Cargo.toml
Path to vulnerable library: /source/native-addon-rust/Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 273a134394edfb54991ff74097965c8f3cac3de7
Found in base branch: master
Vulnerability Details
"idna" 0.5.0 and earlier accepts Punycode labels that do not produce any non-ASCII output, which means that either ASCII labels or the empty root label can be masked such that they appear unequal without IDNA processing or when processed with a different implementation and equal when processed with "idna" 0.5.0 or earlier.
Concretely, "example.org" and "xn--example-.org" become equal after processing by "idna" 0.5.0 or earlier. Also, "example.org.xn--" and "example.org." become equal after processing by "idna" 0.5.0 or earlier.
In applications using "idna" (but not in "idna" itself) this may be able to lead to privilege escalation when host name comparison is part of a privilege check and the behavior is combined with a client that resolves domains with such labels instead of treating them as errors that preclude DNS resolution / URL fetching and with the attacker managing to introduce a DNS entry (and TLS certificate) for an "xn--"-masked name that turns into the name of the target when processed by "idna" 0.5.0 or earlier.
Remedy
Upgrade to "idna" 1.0.3 or later, if depending on "idna" directly, or to "url" 2.5.4 or later, if depending on "idna" via "url". (This issue was fixed in "idna" 1.0.0, but versions earlier than 1.0.3 are not recommended for other reasons.)
When upgrading, please take a moment to read about "alternative Unicode back ends for "idna"" (https://docs.rs/crate/idna_adapter/latest).
If you are using Rust earlier than 1.81 in combination with SQLx 0.8.2 or earlier, please also read an "issue" (servo/rust-url#992) about combining them with "url" 2.5.4 and "idna" 1.0.3.
Additional information
This issue resulted from "idna" 0.5.0 and earlier implementing the UTS 46 specification literally on this point and the specification having this bug. The specification bug has been fixed in "revision 33 of UTS 46" (https://www.unicode.org/reports/tr46/tr46-33.html#Modifications).
Acknowledgements
Thanks to kageshiron for recognizing the security implications of this behavior.
Publish Date: 2025-02-02
URL: CVE-2024-12224
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h97m-ww89-6jmq
Release Date: 2024-12-09
Fix Resolution: idna - 1.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: