CVE-2020-26235 (Medium) detected in chrono-0.4.19.crate #3
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2020-26235 - Medium Severity Vulnerability
Date and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.19/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
Found in HEAD commit: 8442595dc68076584ca77572fc42224085fe9ae5
Found in base branch: main
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Publish Date: 2020-11-24
URL: CVE-2020-26235
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0071.html
Release Date: 2020-11-24
Fix Resolution: chrono - 0.4.20,time - 0.2.23
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: