Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-25575: Memory safe violation by abusing `__private_get_type_id__` · Issue #336 · rust-lang-deprecated/failure

** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce “compatibility hazards” in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap CVE-2019-25010.

CVE
Open in Source
#vulnerability

I noticed that it is possible to cause type confusion in downcast by manually implementing private_get_type_id.

https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=ad66fe439660eb8373996bfd6bd7a835

Although the name of the function clearly shows that it is a private API, I believe a safe Rust program should not violate the memory safety guaranteed by Rust type system.

Related news

GHSA-jq66-xh47-j9f3: Type confusion if __private_get_type_id__ is overriden

** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure crate through 0.1.5 for Rust. It has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE