CVE-2021-45720 – lru

Package

Manager: cargo
Name: lru
Vulnerable Version: >=0 <0.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0028 pctl0.51006

Details

Use After Free in lru Lru crate has two functions for getting an iterator. Both iterators give references to key and value. Calling specific functions, like pop(), will remove and free the value, and but it's still possible to access the reference of value which is already dropped causing use after free.

Metadata

Created: 2022-01-07T22:37:01Z
Modified: 2023-06-13T18:38:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-v362-2895-h9r2/GHSA-v362-2895-h9r2.json
CWE IDs: ["CWE-416"]
Alternative ID: GHSA-v362-2895-h9r2
Finding: F138
Auto approve: 1