Miggo Logo

GHSA-hmx9-jm3v-33hv: InputStream::read_exact : `Read` on uninitialized buffer causes UB

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
CWE
-
Published
6/16/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
buffoonrust<= 0.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies InputStream::read_exact as the problematic function. The core issue is the use of an uninitialized buffer with the Read trait, which is strictly forbidden in Rust's safety model. Multiple sources (GitHub advisory, RustSec advisory, and original issue) consistently point to this specific function as the source of unsoundness. The function's behavior directly contradicts the Read trait's safety requirements documented in std::io::Read.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* p*ss*s *n uniniti*liz** *u***r to * us*r-provi*** `R***` impl*m*nt*tion. *r*itr*ry `R***` impl*m*nt*tions **n r*** *rom t** uniniti*liz** *u***r (m*mory *xposur*) *n* *lso **n r*turn in*orr**t num**r o* *yt*s writt*n t

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s InputStr**m::r***_*x**t *s t** pro*l*m*ti* *un*tion. T** *or* issu* is t** us* o* *n uniniti*liz** *u***r wit* t** R*** tr*it, w*i** is stri*tly *or*i***n in Rust's s***ty mo**l. Multipl* sour**s