WS-2023-0196 (Critical) detected in multiple libraries

[mend-bolt-for-github]

WS-2023-0196 - Critical Severity Vulnerability

Vulnerable Libraries - memoffset-0.6.1.crate, memoffset-0.5.4.crate, memoffset-0.5.3.crate, memoffset-0.2.1.crate, memoffset-0.5.1.crate, memoffset-0.5.5.crate

memoffset-0.6.1.crate

offset_of functionality for Rust structs.

Library home page: https://crates.io/api/v1/crates/memoffset/0.6.1/download

Path to dependency file: /third_party/rust_crates/vendor/handlebars/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/handlebars/Cargo.toml

Dependency Hierarchy:

• criterion-0.3.4.crate (Root Library)
  • rayon-1.5.0.crate
    • rayon-core-1.9.0.crate
      • crossbeam-deque-0.8.0.crate
        • crossbeam-epoch-0.9.3.crate
          • ❌ memoffset-0.6.1.crate (Vulnerable Library)

memoffset-0.5.4.crate

offset_of functionality for Rust structs.

Library home page: https://crates.io/api/v1/crates/memoffset/0.5.4/download

Path to dependency file: /third_party/rust_crates/vendor/flate2/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/flate2/Cargo.toml

Dependency Hierarchy:

• tokio-threadpool-0.1.18.crate (Root Library)
  • crossbeam-deque-0.7.3.crate
    • crossbeam-epoch-0.8.2.crate
      • ❌ memoffset-0.5.4.crate (Vulnerable Library)

memoffset-0.5.3.crate

offset_of functionality for Rust structs.

Library home page: https://crates.io/api/v1/crates/memoffset/0.5.3/download

Path to dependency file: /third_party/rust_crates/tiny_mirrors/rustls/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/tiny_mirrors/rustls/Cargo.toml,/third_party/rust_crates/Cargo.toml,/third_party/rust_crates/vendor/crossbeam-epoch-0.8.2/Cargo.toml

Dependency Hierarchy:

• ❌ memoffset-0.5.3.crate (Vulnerable Library)

memoffset-0.2.1.crate

offset_of functionality for Rust structs.

Library home page: https://crates.io/api/v1/crates/memoffset/0.2.1/download

Path to dependency file: /third_party/rust_crates/vendor/base64-0.11.0/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/base64-0.11.0/Cargo.toml

Dependency Hierarchy:

• criterion-0.3.0.crate (Root Library)
  • rayon-1.1.0.crate
    • crossbeam-deque-0.6.3.crate
      • crossbeam-epoch-0.7.1.crate
        • ❌ memoffset-0.2.1.crate (Vulnerable Library)

memoffset-0.5.1.crate

offset_of functionality for Rust structs.

Library home page: https://crates.io/api/v1/crates/memoffset/0.5.1/download

Path to dependency file: /third_party/rust_crates/vendor/pulldown-cmark/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/pulldown-cmark/Cargo.toml

Dependency Hierarchy:

• criterion-0.3.0.crate (Root Library)
  • rayon-1.2.0.crate
    • crossbeam-deque-0.7.1.crate
      • crossbeam-epoch-0.7.2.crate
        • ❌ memoffset-0.5.1.crate (Vulnerable Library)

memoffset-0.5.5.crate

offset_of functionality for Rust structs.

Library home page: https://crates.io/api/v1/crates/memoffset/0.5.5/download

Path to dependency file: /third_party/rust_crates/vendor/base64/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/base64/Cargo.toml

Dependency Hierarchy:

• criterion-0.3.2.crate (Root Library)
  • rayon-1.3.1.crate
    • rayon-core-1.7.1.crate
      • crossbeam-deque-0.7.3.crate
        • crossbeam-epoch-0.8.2.crate
          • ❌ memoffset-0.5.5.crate (Vulnerable Library)

Found in HEAD commit: 4ec0c406a28f193fe6e7376ee7696cca0532d4ba

Found in base branch: master

Vulnerability Details

memoffset allows reading uninitialized memory

Publish Date: 2024-11-03

URL: WS-2023-0196

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wfg4-322g-9vqv

Release Date: 2023-06-22

Fix Resolution: memoffset - 0.6.2

---

Step up your Open Source Security Game with Mend here