Miggo Logo

CVE-2021-29934: Out of bounds read in uu_od

7.3

CVSS Score
3.1

Basic Information

EPSS Score
0.56759%
Published
8/25/2021
Updated
5/22/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
uu_odrust< 0.0.40.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from PartialReader's read implementation using uninitialized memory buffers. The original code (pre-patch) used Vec::with_capacity followed by unsafe set_len to create a buffer, then passed slices of this uninitialized memory to Read operations. This violates Rust's safety guarantees as user-provided Read implementations could observe uninitialized memory. The patch replaced this with a zero-initialized array and changed read_exact to read with proper error handling, confirming the vulnerability was in this specific function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in P*rti*lR****r in t** uu_o* *r*t* ***or* *.*.* *or Rust. *tt**k*rs **n r*** t** *ont*nts o* uniniti*liz** m*mory lo**tions vi* * us*r-provi*** R*** op*r*tion.

Reasoning

T** vuln*r**ility st*mm** *rom P*rti*lR****r's r*** impl*m*nt*tion usin* uniniti*liz** m*mory *u***rs. T** ori*in*l *o** (pr*-p*t**) us** V**::wit*_**p**ity *ollow** *y uns*** s*t_l*n to *r**t* * *u***r, t**n p*ss** sli**s o* t*is uniniti*liz** m*mor