Plataforma
rust
Componente
base64
Corrigido em
0.5.2
0.5.2
CVE-2017-1000430 describes a critical buffer overflow vulnerability affecting the base64 crate in Rust. This flaw arises from an integer overflow when calculating the buffer size for base64 encoding operations, specifically within the encodeconfigbuf and encode_config functions. Exploitation can lead to memory corruption and potentially arbitrary code execution. Affected versions are those prior to 0.5.2; upgrading to this version resolves the vulnerability.
The vulnerability's impact is severe due to its potential for arbitrary code execution. An attacker can craft a large input string to trigger the integer overflow, causing an undersized buffer to be allocated. Subsequent writes to this buffer, handled via unsafe code, will then overflow the buffer's boundaries, corrupting memory. This memory corruption can be leveraged to overwrite critical data structures or inject malicious code into the process's memory space, ultimately allowing the attacker to execute arbitrary commands with the privileges of the Rust application. The blast radius is dependent on the application using the vulnerable crate; a widely used library could have a significant impact.
This CVE was publicly disclosed on May 3, 2017. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for arbitrary code execution makes it a high-priority concern. The vulnerability's presence in a widely used crate increases the likelihood of exploitation if left unpatched. No KEV listing is currently available.
Applications written in Rust that utilize the base64 crate are at risk. This includes projects relying on base64 encoding for data transmission, storage, or authentication. Specifically, applications that handle untrusted input data without proper validation are particularly vulnerable.
• rust/supply-chain:
cargo audit --target base64• rust/supply-chain:
cargo tree | grep base64• generic web: Inspect application logs for unusual memory access patterns or crashes related to base64 encoding operations. Look for errors indicating buffer overflows or memory corruption.
disclosure
Status do Exploit
EPSS
0.48% (percentil 65%)
Vetor CVSS
The primary mitigation is to upgrade the base64 crate to version 0.5.2 or later. This version incorporates checked arithmetic to prevent the integer overflow. If upgrading is not immediately feasible, consider implementing runtime checks to validate the input string length before passing it to the encodeconfigbuf or encode_config functions. While not a complete solution, this can provide a layer of defense against exploitation. Thorough testing is crucial after any upgrade to ensure compatibility and prevent regressions. Verify the upgrade by running unit tests that specifically target the base64 encoding functionality.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2017-1000430 is a critical vulnerability in the Rust base64 crate where an integer overflow can lead to a buffer overflow, potentially allowing arbitrary code execution.
You are affected if your Rust project uses the base64 crate in a version prior to 0.5.2. Check your Cargo.toml file to determine your version.
Upgrade the base64 crate to version 0.5.2 or later using cargo update base64.
While no active exploitation campaigns have been definitively linked, the potential for arbitrary code execution makes it a high-priority concern.
Refer to the Rust security advisory and the base64 crate's release notes for details: [https://rustsec.org/](https://rustsec.org/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo Cargo.lock e descubra na hora se você está afetado.