CVE-2021-28030 – truetype

Package

Manager: cargo
Name: truetype
Vulnerable Version: >=0 <0.30.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00285 pctl0.51485

Details

Use of Uninitialized Resource in truetype An issue was discovered in the truetype crate before 0.30.1 for Rust. Attackers can read the contents of uninitialized memory locations via a user-provided Read operation within Tape::take_bytes.

Metadata

Created: 2021-08-25T20:51:58Z
Modified: 2021-08-19T17:22:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-v7q4-97x4-4qw2/GHSA-v7q4-97x4-4qw2.json
CWE IDs: ["CWE-908"]
Alternative ID: GHSA-v7q4-97x4-4qw2
Finding: F138
Auto approve: 1