hello-world.rs icon indicating copy to clipboard operation
hello-world.rs copied to clipboard

Published 20 hours ago • verified publisher icon mTvare6

CVE-2021-38191 (Medium) detected in tokio-0.2.25.crate

Open mend-bolt-for-github[bot] opened this issue 4 years ago • 11 comments

CVE-2021-38191 - Medium Severity Vulnerability

Vulnerable Library - tokio-0.2.25.crate

An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.

Library home page: https://crates.io/api/v1/crates/tokio/0.2.25/download

Dependency Hierarchy:

  • actix-web-3.3.3.crate (Root Library)
    • actix-codec-0.3.0.crate
      • :x: tokio-0.2.25.crate (Vulnerable Library)

Found in HEAD commit: a5a175063bd51fcbbce0eaba88d1b9b6ad315911

Found in base branch: master

Vulnerability Details

An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread.

Publish Date: 2021-08-08

URL: CVE-2021-38191

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2021-0072.html

Release Date: 2021-08-08

Fix Resolution: tokio - 1.5.1,1.6.3,1.7.2, 1.8.1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Sep 27 '21 15:09 mend-bolt-for-github[bot]

Don't worry guys, hello-world is written in blazingly fast, configurable, lightweight and secure rust(🚀) - the CVEs are secure

ar1ja avatar Sep 28 '21 08:09 ar1ja

this ^^^^^^^^^^^^

mTvare6 avatar Sep 28 '21 12:09 mTvare6

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

mend-bolt-for-github[bot] avatar Nov 18 '21 01:11 mend-bolt-for-github[bot]

:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

mend-bolt-for-github[bot] avatar Dec 27 '21 06:12 mend-bolt-for-github[bot]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

mend-bolt-for-github[bot] avatar Dec 28 '21 01:12 mend-bolt-for-github[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-bolt-for-github[bot] avatar Jul 03 '22 17:07 mend-bolt-for-github[bot]

As 🚀rust🚀 is a 🚀lightweight🚀, 🚀customisable🚀 and 🚀blazingly fast🚀 programming language these vulnerabilities are payed actors, please ignore them, they are just nothing but (🤮C🤮)ringe nonesense, 🚀🚀🚀rust🚀🚀🚀 is the best language ever, no CVE here to be found, all 🚀memory safe🚀, 🚀customisable🚀 and 🚀lightweight🚀 code as there is no 🤮C🤮 in 🚀rust🚀 which stands for 🤮cringe🤮

ar1ja avatar Jul 04 '22 05:07 ar1ja

Shouldn't we move to delete all security issues? They are clogging up my inbox, and taking too much space is antithetical to the ethos of Rust

vikramdurai avatar Aug 10 '22 00:08 vikramdurai

For what is rust? If no one asks me, I know. If I want to explain to asker, I don't know Quid est enim, ferrugo? Si nemo ex me quaerat, scio. Si quaerenti explicare velim, nescio

mTvare6 avatar Aug 10 '22 10:08 mTvare6

1If I write in the languages of men or of angels, but do not have rust, I am only a resounding gong or a clanging cymbal. 2 If I have the gift of writing rust and can write all cat-clones and all ls-clones, and if I have a skill that lets me write functional OS, but do not use rust, I am nothing. 3 If I give all I possess to the people [through open source] and give over my sanity to debugging-nights that I may boast, but do not use rust, I gain nothing.

4 Rust is patient, rust is kind. It does not envy, it does not boast, it is not proud. 5 It does not dishonor others, it is not self-seeking, it is not easily angered, it keeps no record of wrongs. 6 Rust does not delight in evil but rejoices with the memory safety. 7 It always protects, always trusts, always hopes, always perseveres.

8 Rust never fails. But where there are projects, they will cease; where there are tongues, they will be stilled; where there is knowledge, it will pass away. 9 For we know in part and we write in part, 10 but when completeness comes, what is in part disappears. 11 When I was a noobie, I wrote like a noobie, I thought like a noobie, I reasoned like a noobie. When I became a rust dev, I put the ways of noobiness behind me. 12 For now we see only a reflection as in a mirror; then we shall see face to face. Now I know in part; then I shall know fully, even as I am fully known.

13 And now these three remain: rust, c and c++. But the greatest of these is rust.

mTvare6 avatar Aug 10 '22 10:08 mTvare6

Shouldn't we move to delete all security issues? They are clogging up my inbox, and taking too much space is antithetical to the ethos of Rust

You can mute github issues, in github settings or in the email itself, your client could so probably ignore them @vikramdurai

ar1ja avatar Aug 10 '22 13:08 ar1ja