GHSA-3jch-9qgp-4844 – flatbuffers

Package

Manager: cargo
Name: flatbuffers
Vulnerable Version: >=0 <22.9.29

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Generated code can read and write out of bounds in safe code Code generated by flatbuffers' compiler is `unsafe` but not marked as such. See https://github.com/google/flatbuffers/issues/6627 for details. All users that use generated code by `flatbuffers` compiler are recommended to: 1. not expose flatbuffer generated code as part of their public APIs 2. audit their code and look for any usage of `follow`, `push`, or any method that uses them (e.g. `self_follow`). 3. Carefuly go through the crates' documentation to understand which "safe" APIs are not intended to be used.

Metadata

Created: 2022-06-16T23:54:35Z
Modified: 2022-06-16T23:54:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-3jch-9qgp-4844/GHSA-3jch-9qgp-4844.json
CWE IDs: []
Alternative ID: N/A
Finding: F115
Auto approve: 1