GHSA-27wf-5967-98gx:  Kubernetes kubelet arbitrary command execution

GHSA-mr95-vfcf-fx9p: Apache Answer: Predictable Authorization Token Using UUIDv1

GHSA-pqhp-25j4-6hq9: smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables

GHSA-v5h2-q2w4-gpcx: Sentry improper error handling leaks Application Integration Client Secret

GHSA-8w49-h785-mj3c: Tornado has an HTTP cookie parsing DoS vulnerability

When activating the non-default feature `serialize`, most structs implement
`serde::Deserialize` without sufficient validation. This allows breaking
invariants in safe code, leading to:

* Undefined behavior in `as_string()` methods (which use
  `std::str::from_utf8_unchecked()` internally).
* Panics due to failed assertions.

See https://github.com/gz/rust-cpuid/issues/43.


**Optional \`Deserialize\` implementations lacking validation**

Moderate severity GitHub Reviewed Published Jun 17, 2022 • Updated Jun 17, 2022

Headline

GHSA-jf5h-cf95-w759: Optional `Deserialize` implementations lacking validation

ghsa: Latest News