Plattform
rust
Komponente
base64
Behoben in
0.5.2
0.5.2
CVE-2017-1000430 identifies a buffer overflow vulnerability within the base64 Rust crate. This flaw arises from an integer overflow when calculating the buffer size used for base64 encoding via encodeconfigbuf and encode_config functions. Exploitation can lead to memory corruption and potential arbitrary code execution. Affected versions are those prior to 0.5.2; upgrading to this version resolves the issue.
The vulnerability allows an attacker to trigger a buffer overflow by providing a large input string to the encodeconfigbuf or encode_config functions. This overflow results in a buffer being allocated that is smaller than required, and subsequent writes beyond the allocated memory boundary. This memory corruption can be leveraged to overwrite critical data structures or even inject and execute arbitrary code. The potential impact is severe, as a successful exploit could grant an attacker complete control over the system running the vulnerable code. This is particularly concerning in applications relying on the base64 crate for secure data transmission or storage.
CVE-2017-1000430 was publicly disclosed on May 3, 2017. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for remote code execution makes it a significant risk. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the integer overflow.
Applications written in Rust that utilize the base64 crate are at risk. This includes projects relying on base64 encoding for data transmission, storage, or authentication. Specifically, applications that handle untrusted input data without proper validation are particularly vulnerable.
• rust/supply-chain:
cargo audit --target base64• rust/supply-chain:
cargo tree | grep base64• generic web: Inspect application logs for unusual memory access patterns or crashes related to base64 encoding operations. Look for errors indicating buffer overflows or memory corruption.
disclosure
Exploit-Status
EPSS
0.48% (65% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2017-1000430 is to upgrade the base64 crate to version 0.5.2 or later. This version incorporates checked arithmetic to prevent the integer overflow. If upgrading is not immediately feasible, consider implementing input validation to limit the size of strings passed to the encodeconfigbuf and encode_config functions. While not a complete solution, this can reduce the likelihood of triggering the overflow. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the application code. After upgrading, confirm the fix by attempting to encode a large string and verifying that no out-of-bounds writes occur.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2017-1000430 is a critical vulnerability in the Rust base64 crate where an integer overflow can lead to a buffer overflow, potentially allowing arbitrary code execution.
You are affected if your Rust project uses the base64 crate in a version prior to 0.5.2. Check your Cargo.toml file to determine your version.
Upgrade the base64 crate to version 0.5.2 or later using cargo update base64.
While no active exploitation campaigns have been definitively linked, the potential for arbitrary code execution makes it a high-priority concern.
Refer to the Rust security advisory and the base64 crate's release notes for details: [https://rustsec.org/](https://rustsec.org/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Cargo.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.