bevy_egui-0.15.1.crate: 2 vulnerabilities (highest severity is: 9.8) - autoclosed
mend-bolt-for-github opened this issue · comments
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (bevy_egui version) | Remediation Available |
---|---|---|---|---|---|---|
WS-2023-0006 | High | 9.8 | bumpalo-3.11.0.crate | Transitive | N/A* | ❌ |
CVE-2022-45299 | Medium | 5.5 | webbrowser-0.7.1.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
WS-2023-0006
Vulnerable Library - bumpalo-3.11.0.crate
A fast bump allocation arena for Rust.
Library home page: https://crates.io/api/v1/crates/bumpalo/3.11.0/download
Dependency Hierarchy:
- bevy_egui-0.15.1.crate (Root Library)
- webbrowser-0.7.1.crate
- web-sys-0.3.59.crate
- wasm-bindgen-0.2.82.crate
- wasm-bindgen-macro-0.2.82.crate
- wasm-bindgen-macro-support-0.2.82.crate
- wasm-bindgen-backend-0.2.82.crate
- ❌ bumpalo-3.11.0.crate (Vulnerable Library)
- wasm-bindgen-backend-0.2.82.crate
- wasm-bindgen-macro-support-0.2.82.crate
- wasm-bindgen-macro-0.2.82.crate
- wasm-bindgen-0.2.82.crate
- web-sys-0.3.59.crate
- webbrowser-0.7.1.crate
Found in base branch: master
Vulnerability Details
In bumpalo prior to 3.11.1, the lifetime of the iterator produced by Vec::into_iter() is not constrained to the lifetime of the Bump that allocated the vector's memory. Using the iterator after the Bump is dropped causes use-after-free accesses.
Publish Date: 2023-01-14
URL: WS-2023-0006
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Release Date: 2023-01-14
Fix Resolution: bumpalo - 3.11.1
Step up your Open Source Security Game with Mend here
CVE-2022-45299
Vulnerable Library - webbrowser-0.7.1.crate
Open URLs in web browsers available on a platform
Library home page: https://crates.io/api/v1/crates/webbrowser/0.7.1/download
Dependency Hierarchy:
- bevy_egui-0.15.1.crate (Root Library)
- ❌ webbrowser-0.7.1.crate (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue in the IpFile argument of rust-lang webbrowser-rs v0.8.2 allows attackers to access arbitrary files via supplying a crafted URL.
Publish Date: 2023-01-13
URL: CVE-2022-45299
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-45299
Release Date: 2023-01-13
Fix Resolution: webbrowser - 0.8.3
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.