CVE-2021-26956 – xcb

Package

Manager: cargo
Name: xcb
Vulnerable Version: >=0 <1.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00504 pctl0.65137

Details

Arbitrary return types in xcb The function xcb::xproto::GetPropertyReply::value() returns a slice of type T where T is an unconstrained type parameter. The raw bytes received from the X11 server are interpreted as the requested type. The users of the xcb crate are advised to only call this function with the intended types. These are u8, u16, and u32. This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95

Metadata

Created: 2021-08-25T20:53:27Z
Modified: 2023-06-13T22:28:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-mp6r-fgw2-rxfx/GHSA-mp6r-fgw2-rxfx.json
CWE IDs: ["CWE-657"]
Alternative ID: GHSA-mp6r-fgw2-rxfx
Finding: F138
Auto approve: 1