Miggo Logo

CVE-2020-35889: Memory safety violation in crayon

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.55836%
Published
8/25/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
crayonrust<= 0.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from ObjectPool methods assuming HandleLike trait methods (index()/version()) are pure/constant. The get and get_mut methods first check handle validity via contains(), then immediately use handle.index() in unsafe array accesses. A malicious HandleLike implementation could return different values between these operations, leading to out-of-bounds memory access. The Drop implementation also uses handle.index() without validation, but the primary attack surface is in the get/get_mut methods that combine safety checks with subsequent unsafe accesses based on potentially changing handle values.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *r*yon *r*t* t*rou** ****-**-** *or Rust. * TO*TOU issu* **s * r*sult*nt m*mory s***ty viol*tion vi* **n*l*Lik*.

Reasoning

T** vuln*r**ility st*ms *rom O*j**tPool m*t*o*s *ssumin* **n*l*Lik* tr*it m*t*o*s (in**x()/v*rsion()) *r* pur*/*onst*nt. T** **t *n* **t_mut m*t*o*s *irst ****k **n*l* v*li*ity vi* *ont*ins(), t**n imm**i*t*ly us* **n*l*.in**x() in uns*** *rr*y ****s