N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-66fw-43h8-f8p3

EPSS Score

CWE

CWE-754

Published

7/26/2024

Updated

7/26/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-66fw-43h8-f8p3

GHSA-66fw-43h8-f8p3: XMP Toolkit's `XmpFile::close` can trigger undefined behavior

Affected versions of the crate failed to catch C++ exceptions raised within the XmpFile::close function. If such an exception occured, it would trigger undefined behavior, typically a process abort.

This is best demonstrated in issue #230, where a race condition causes the close call to fail due to file I/O errors.

This was fixed in PR #232 (released as crate version 1.9.0), which now safely handles the exception.

For backward compatibility, the existing API ignores the error. A new API XmpFile::try_close was added to allow callers to receive and process the error result.

Users of all prior versions of xmp_toolkit are encouraged to update to version 1.9.0 to avoid undefined behavior.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-66fw-43h8-f8p3

GHSA-66fw-43h8-f8p3:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-66fw-43h8-f8p3

EPSS Score

CWE

CWE-754

Published

7/26/2024

Updated

7/26/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
xmp_toolkit	rust	< 1.9.0	1.9.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around the XmpFile::close method as explicitly stated in all references. The advisory notes this function's failure to handle C++ exceptions properly, which is critical in Rust<->C++ FFI interactions. The fix in PR #232 specifically targeted this function by adding exception handling, and the new try_close API was introduced as a safe alternative. While exact file paths aren't shown in the advisory, Rust convention suggests xmp_file.rs as the logical location for XmpFile implementation. The high confidence comes from multiple corroborating sources: GHSA description, issue #230 reproduction, and the explicit fix in PR #232.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-66fw-43h8-f8p3: XMP Toolkit's `XmpFile::close` can trigger undefined behavior

GHSA-66fw-43h8-f8p3:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-66fw-43h8-f8p3: XMP Toolkit's `XmpFile::close` can trigger undefined behavior

N/A

N/A

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI