Giters

aljen / world_renderer

World Renderer & Generator

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

bevy_egui-0.15.1.crate: 2 vulnerabilities (highest severity is: 9.8) - autoclosed

mend-bolt-for-github opened this issue · comments

commented
Vulnerable Library - bevy_egui-0.15.1.crate

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bevy_egui version) Remediation Available
WS-2023-0006 High 9.8 bumpalo-3.11.0.crate Transitive N/A*
CVE-2022-45299 Medium 5.5 webbrowser-0.7.1.crate Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

WS-2023-0006

Vulnerable Library - bumpalo-3.11.0.crate

A fast bump allocation arena for Rust.

Library home page: https://crates.io/api/v1/crates/bumpalo/3.11.0/download

Dependency Hierarchy:

  • bevy_egui-0.15.1.crate (Root Library)
    • webbrowser-0.7.1.crate
      • web-sys-0.3.59.crate
        • wasm-bindgen-0.2.82.crate
          • wasm-bindgen-macro-0.2.82.crate
            • wasm-bindgen-macro-support-0.2.82.crate
              • wasm-bindgen-backend-0.2.82.crate
                • bumpalo-3.11.0.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.

Publish Date: 2023-01-14

URL: WS-2023-0006

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html

Release Date: 2023-01-14

Fix Resolution: bumpalo - 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-45299

Vulnerable Library - webbrowser-0.7.1.crate

Open URLs in web browsers available on a platform

Library home page: https://crates.io/api/v1/crates/webbrowser/0.7.1/download

Dependency Hierarchy:

  • bevy_egui-0.15.1.crate (Root Library)
    • webbrowser-0.7.1.crate (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue in the IpFile argument of rust-lang webbrowser-rs v0.8.2 allows attackers to access arbitrary files via supplying a crafted URL.

Publish Date: 2023-01-13

URL: CVE-2022-45299

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-45299

Release Date: 2023-01-13

Fix Resolution: webbrowser - 0.8.3

Step up your Open Source Security Game with Mend here

commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.