Miggo Logo

GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
CWE
-
Published
9/11/2023
Updated
9/11/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
inventoryrust< 0.2.00.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key functions:

  1. inventory::submit - Public API entry point that accepted arbitrary user values through submit! macro expansions. These values were executed in #[ctor] initializers before main.
  2. Registry::submit - Internal method that processed dynamically allocated nodes, enabling runtime-linked list manipulation before standard library initialization.

The patch (b853350) addressed this by:

  • Removing inventory::submit
  • Requiring const construction via ErasedNode
  • Replacing Box<Node<T>> with static Node using const expressions This restricted execution to compile-time only, preventing pre-main runtime code execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions *llow *r*itr*ry **ll*r-provi*** *o** to *x**ut* ***or* t** li**tim* o* `m*in`. I* t** **ll*r-provi*** *o** ****ss*s p*rti*ul*r pi***s o* t** st*n**r* li*r*ry t**t r*quir* *n initi*liz** Rust runtim*, su** *s `st*::io` or `st*::t*r*

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *un*tions: *. inv*ntory::su*mit - Pu*li* *PI *ntry point t**t ****pt** *r*itr*ry us*r v*lu*s t*rou** su*mit! m**ro *xp*nsions. T**s* v*lu*s w*r* *x**ut** in #[*tor] initi*liz*rs ***or* m*in. *. R**istry::su*mit
GHSA-ghc8-5cgm-5rpf: Inventory Pre-Runtime Code Exec | Miggo