Miggo Logo
Miggo Vulnerability Database
CVE-2020-35887

CVE-2020-35887: Multiple security issues including data race, buffer overflow, and uninitialized memory drop in arr

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-35887
GHSA ID
GHSA-fhvj-7f9p-w788
EPSS Score
0.63162%
CWE
CWE-120
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
arrrust<= 0.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Sync/Send implementations violate thread safety guarantees as demonstrated by Rc smuggling. 2) Index trait methods lack bounds checks as shown by OOB access in PoC. 3) new_from_template's unsafe initialization pattern causes drops of uninitialized memory. These are confirmed by code references in the GitHub issue (lib.rs lines 46-47, 129-148, 111-127) and advisory descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*rr *r*t* *ont*ins multipl* s**urity issu*s. Sp**i*i**lly, *. It in*orr**tly impl*m*nts Syn*/S*n* *oun*s, w*i** *llows to smu**l* non-Syn*/S*n* typ*s **ross t** t*r*** *oun**ry. *. In**x *n* In**xMut impl*m*nt*tion *o*s not ****k t** *rr*y *oun*. *

Reasoning

*) Syn*/S*n* impl*m*nt*tions viol*t* t*r*** s***ty *u*r*nt**s *s **monstr*t** *y R* smu**lin*. *) In**x tr*it m*t*o*s l**k *oun*s ****ks *s s*own *y OO* ****ss in Po*. *) n*w_*rom_t*mpl*t*'s uns*** initi*liz*tion p*tt*rn **us*s *rops o* uniniti*liz**