Miggo Logo
Miggo Vulnerability Database
CVE-2020-35916

CVE-2020-35916: Mutable reference with immutable provenance in image

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-35916
GHSA ID
GHSA-9wgh-vjj7-7433
EPSS Score
0.1703%
CWE
CWE-400
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
imagerust< 0.23.120.23.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from macro-generated Pixel trait implementations using slice::as_ptr() instead of slice::as_mut_ptr() in their from_slice_mut functions. The commit diff shows the fix was applied to a macro template in src/color.rs that generates these pixel type implementations. The RustSec advisory explicitly lists these functions as vulnerable, and the CVE description confirms the pattern of creating mutable references from pointers with immutable provenance. High confidence comes from: 1) Direct match between patched code and vulnerable functions 2) Explicit listing in advisory 3) Clear explanation in commit message about pointer provenance violation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* mut**l* r***r*n** to * stru*t w*s *onstru*t** *y **r***r*n*in* * point*r o*t*in** *rom sli**::*s_ptr. Inst***, sli**::*s_mut_ptr s*oul* **v* ***n **ll** on t** mut**l* sli** *r*um*nt. T** *orm*r p*r*orms *n impli*it r**orrow *s *n immut**l* s**r**

Reasoning

T** vuln*r**ility st*ms *rom m**ro-**n*r*t** Pix*l tr*it impl*m*nt*tions usin* sli**::*s_ptr() inst*** o* sli**::*s_mut_ptr() in t**ir *rom_sli**_mut *un*tions. T** *ommit *i** s*ows t** *ix w*s *ppli** to * m**ro t*mpl*t* in sr*/*olor.rs t**t **n*r*