bindgen-0.59.2.crate: 1 vulnerabilities (highest severity is: 5.3) #88
Description
Vulnerable Library - bindgen-0.59.2.crate
Path to dependency file: /yjit/bindgen/Cargo.toml
Path to vulnerable library: /yjit/bindgen/Cargo.toml
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (bindgen version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0223 |  Medium |
5.3 | atty-0.2.14.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0223
Vulnerable Library - atty-0.2.14.crate
A simple interface for querying atty
Library home page: https://crates.io/api/v1/crates/atty/0.2.14/download
Path to dependency file: /yjit/bindgen/Cargo.toml
Path to vulnerable library: /yjit/bindgen/Cargo.toml
Dependency Hierarchy:
- bindgen-0.59.2.crate (Root Library)
- env_logger-0.9.0.crate
- ❌ atty-0.2.14.crate (Vulnerable Library)
- env_logger-0.9.0.crate
Found in base branch: ruby_2_7
Vulnerability Details
On windows, atty dereferences a potentially unaligned pointer.In practice however, the pointer won't be unaligned unless a custom global allocator is used. In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment.
Publish Date: 2023-06-30
URL: WS-2023-0223
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Step up your Open Source Security Game with Mend here