CVE-2019-16139 – compact_arena

Package

Manager: cargo
Name: compact_arena
Vulnerable Version: >=0 <0.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00382 pctl0.58803

Details

Out of bounds access in compact_arena Affected versions of this crate did not properly implement the generativity, because the invariant lifetimes were not necessarily dropped. This allows an attacker to mix up two arenas, using indices created from one arena with another one. This might lead to an out-of-bounds read or write access into the memory reserved for the arena. The flaw was corrected by implementing generativity correctly in version 0.4.0.

Metadata

Created: 2021-08-25T20:44:48Z
Modified: 2023-06-13T16:57:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-7j36-gc4r-9x3r/GHSA-7j36-gc4r-9x3r.json
CWE IDs: ["CWE-125", "CWE-787"]
Alternative ID: GHSA-7j36-gc4r-9x3r
Finding: F111
Auto approve: 1