influxdb-rust
influxdb-rust copied to clipboard
influxdb-rs
CVE-2021-32714 CVE-2021-32715 vulnerability in hyper (transitive via surf)
This crate uses a hyper version (transitive via surf) that has vulnerabilities.
- https://rustsec.org/advisories/RUSTSEC-2021-0078
- https://rustsec.org/advisories/RUSTSEC-2021-0079
hyper v0.13.10
├── http-client v6.4.1
│ └── surf v2.2.0
│ └── influxdb v0.4.0
Thanks for the report. Is there anything we can do? Hyper 0.14 support has just landed with #92, but if you need surf with tokio support, hyper 0.13 still seems to be your only choice
These CVEs are still outstanding as well as dependencies on the time and tokio crates. From trivy output:
Cargo.lock (cargo)
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
┌─────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ hyper │ GHSA-f67m-9j94-qv9j │ HIGH │ 0.13.10 │ 0.14.12 │ Parser creates invalid uninitialized value │
│ │ │ │ │ │ https://github.com/advisories/GHSA-f67m-9j94-qv9j │
│ ├─────────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2021-32714 │ MEDIUM │ │ 0.14.10 │ hyper is an HTTP library for Rust. In versions prior to │
│ │ │ │ │ │ 0.14.10,... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-32714 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────┤
│ │ CVE-2021-32715 │ LOW │ │ │ hyper is an HTTP library for rust. hyper's HTTP/1 server │
│ │ │ │ │ │ code had... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-32715 │
├─────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ time │ CVE-2020-26235 │ MEDIUM │ 0.1.45 │ 0.2.23 │ Segmentation fault in time │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26235 │
├─────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ tokio │ CVE-2021-45710 │ HIGH │ 0.2.25 │ 1.13.1, 1.8.4 │ tokio: Race leads to panic in oneshot::Sender::send() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45710 │
└─────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
@jyoung15 We do not depend directly on any of the libraries you listed above. Neither do we require the use of these libraries, or enable them by default. We have a reqwest-client option available that uses hyper 0.14 and tokio 1.0, and we disable the default features of chrono, so we don't have a dependency to time 0.1 at all. Unless you explicitly choose to enable the hyper-client, you are not affected by these vulnerabilities at all. Since surf did not yet update to a newer hyper client, there is nothing we can do. Please file an issue with surf if you are concerned.