hello-world.rs
hello-world.rs copied to clipboard
mTvare6
CVE-2020-26235 (Medium) detected in chrono-0.4.19.crate
CVE-2020-26235 - Medium Severity Vulnerability
Vulnerable Library - chrono-0.4.19.crate
Date and time library for Rust
Library home page: https://crates.io/api/v1/crates/chrono/0.4.19/download
Dependency Hierarchy:
- :x: chrono-0.4.19.crate (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Publish Date: 2020-11-24
URL: CVE-2020-26235
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0071.html
Release Date: 2020-11-24
Fix Resolution: chrono - 0.4.20,time - 0.2.23
Step up your Open Source Security Game with Mend here
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "Published by a pub.dev verified publisher"){kind=small}