sea-orm icon indicating copy to clipboard operation
sea-orm copied to clipboard

Published 20 hours ago verified publisher icon SeaQL

Vulnerability in the `rsa` (a recursive dependency of SeaORM)

Open baraknaveh opened this issue 1 year ago • 3 comments

Description

Dependabot complains on a vulnerability in rsa, a recursive dependency of SeaORM. This is a link to the issue: https://rustsec.org/advisories/RUSTSEC-2023-0071.html

Vulnerability location:

├── sea-orm v0.12.15
│   ├── sea-query-binder v0.5.0
│   │   ├── sqlx v0.7.4
│   │   │   ├── sqlx-mysql v0.7.4
│   │   │   │   ├── rsa v0.9.6       <-- Vulnerable

Steps to Reproduce

Run GitHub dependabot on the codebase.

Expected Behavior

No vulnerabilities

Actual Behavior

https://rustsec.org/advisories/RUSTSEC-2023-0071.html

Reproduces How Often

Always

Workarounds

🤷‍♂️

Reproducible Example

Marvin Attack Vulnerability

Versions

v0.12.15

baraknaveh avatar Jul 26 '24 18:07 baraknaveh

Workarounds

🤷‍♂️

I believe, it should be possible to patch rsa to a compatible version with a security fix or patch sqlx-mysql to a compatible version that replaces rsa with another crate (if it's even possible?). Consider linking these versions, if they exist.

Expurple avatar Jul 30 '24 19:07 Expurple

Looking at the discussion on the RSA repo here https://github.com/RustCrypto/RSA/issues/19, I'm not sure we can exect a fix in a short term.

The annoying thing is that it combines with a Cargo bug (https://github.com/SeaQL/sea-orm/discussions/2172), so this vulnerability is reported by dependabot even when not using mysql.

ogtn avatar Sep 24 '24 09:09 ogtn

any updates?

tlsneo avatar May 11 '25 11:05 tlsneo