Miggo Logo

CVE-2020-35893: Off-by-one error in simple-slab

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.55713%
Published
8/25/2021
Updated
4/6/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
simple-slabrust< 0.3.30.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CVE description explicitly mentions remove() has an off-by-one error. The commit diff shows the vulnerable line 'last_elem_ptr = self.mem.offset(self.len as isize)' was changed to '(self.len - 1)', confirming the off-by-one.
  2. Issue #2 and advisory descriptions mention index() allowing OOB reads. The commit added 'assert!(index < self.len)' to index(), proving prior lack of bounds checking.
  3. Both functions are in src/lib.rs as shown in the diff, with clear vulnerability patterns matching CWE-193 (Off-by-one) and CWE-125 (Out-of-bounds read).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** simpl*-sl** *r*t* ***or* *.*.* *or Rust. r*mov*() **s *n o**-*y-on* *rror, **usin* m*mory l**k*** *n* * *rop o* uniniti*liz** m*mory.

Reasoning

*. T** *V* **s*ription *xpli*itly m*ntions r*mov*() **s *n o**-*y-on* *rror. T** *ommit *i** s*ows t** vuln*r**l* lin* 'l*st_*l*m_ptr = s*l*.m*m.o**s*t(s*l*.l*n *s isiz*)' w*s ***n*** to '(s*l*.l*n - *)', *on*irmin* t** o**-*y-on*. *. Issu* #* *n* **