Rust Package Vulnerabilities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Vendor

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product

rusqlite Crate15
sized-chunks crate6
smallvec Crate5
xcb Crate5
lock_api Crate5

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix224
Temporary Fix0
Workaround1
Unavailable0
Not Defined108

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High0
Functional0
Proof-of-Concept0
Unproven0
Not Defined333

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

Access Vector

Not Defined0
Physical0
Local0
Adjacent259
Network74

The approach a vulnerability it becomes important to use the expected access vector. This is typically via the network, local, or physically even.

Authentication

Not Defined0
High1
Low273
None59

To exploit a vulnerability a certail level of authentication might be required. Vulnerabilities without such a requirement are much more popular.

User Interaction

Not Defined0
Required4
None329

Some attack scenarios require some user interaction by a victim. This is typical for phishing, social engineering and cross site scripting attacks.

C3BM Index

Our unique C3BM Index (CVSSv3 Base Meta Index) cumulates the CVSSv3 Meta Base Scores of all entries over time. Comparing this index to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

CVSSv3 Base

≤10
≤20
≤34
≤450
≤59
≤6171
≤739
≤842
≤913
≤105

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤34
≤450
≤59
≤6176
≤742
≤834
≤913
≤105

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

VulDB

≤10
≤20
≤35
≤461
≤511
≤6206
≤711
≤834
≤90
≤105

The moderation team is always defining the base vector and base score for an entry. These and all other available scores are used to generate the meta score.

NVD

≤10
≤20
≤30
≤40
≤52
≤612
≤76
≤847
≤92
≤1039

The National Vulnerability Database (NVD) is also defining CVSS vectors and scores. These are usually not complete and might differ from VulDB scores.

CNA

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤82
≤91
≤100

A CVE Numbering Authority (CNA) is responsible for assigning new CVE entries. They might also include a CVSS score. These are usually not complete and might differ from VulDB scores.

Vendor

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

Some vendors are willing to publish their own CVSS vectors and scores for vulnerabilities in their products. The coverage varies from vendor to vendor.

Research

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

There are sometimes also security researcher which provide their own CVSS vectors and scores for vulnerabilities they have found and published.

Exploit 0-day

<1k77
<2k25
<5k231
<10k0
<25k0
<50k0
<100k0
≥100k0

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k302
<2k26
<5k5
<10k0
<25k0
<50k0
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

Exploit Market Volume

Our unique calculation of exploit prices makes it possible to forecast the expected exploit market volume. The calculated prices for all possible 0-day expoits are cumulated for this task. Comparing the volume to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

🔴 CTI Activities

Our unique Cyber Threat Intelligence aims to determine the ongoing research of actors to anticipiate their acitivities. Observing exploit markets on the Darknet, discussions of vulnerabilities on mailinglists, and exchanges on social media makes it possible to identify planned attacks. Monitored actors and activities are classified whether they are offensive or defensive. They are also weighted as some actors are well-known for certain products and technologies. And some of their disclosures might contain more or less details about technical aspects and personal context. The world map highlights active actors in real-time.

Affected Products (245): abi_stable Crate, abomonation Crate, abox Crate, acc_reader Crate, actix-codec Crate, actix-http Crate, actix-service Crate, actix-utils Crate, actix-web Crate, adtensor Crate, algorithmica Crate, alg_ds Crate, alpm-rs Crate, ammonia Crate, anymap Crate, aovec Crate, appendix Crate, arc-swap Crate, arenavec Crate, ark-r1cs-std Crate, array-queue Crate, array-tools Crate, arrayfire Crate, arr Crate, ash Crate, asn1_der Crate, Asus ROG Armoury Crate Lite, async-coap Crate, async-h1, async-h1 Crate, atomic-option Crate, atom Crate, autorand Crate, av-data Crate, bam Crate, basic_dsp_matrix Crate, beef Crate, better-macro Crate, bigint Crate, binjs_io Crate, bite Crate, bitvec Crate, blake2 Crate, branca Crate, bra Crate, bronzedb-protocol Crate, buffoon Crate, bumpalo Crate, bunch Crate, buttplug Crate, byte_struct Crate, cache Crate, calamine Crate, cbox Crate, cdr Crate, cgc Crate, chacha20 Crate, chttp Crate, chunky Crate, ckb Crate, claxon Crate, columnar Crate, compact_arena Crate, comrak Crate, concread Crate, conquer-once Crate, conqueue Crate, containers Crate, convec Crate, cookie Crate, crater-invoice crater, crayon Crate, crossbeam-channel Crate, crossbeam Crate, crypto2 Crate, csv-sniffer Crate, dces Crate, derive-com-impl Crate, diesel Crate, disrustor Crate, dync Crate, endian_trait Crate, eventio Crate, evm Crate, failure Crate, fil-ocl Crate, flatbuffers Crate, fltk Crate, flumedb Crate, fruity Crate, futures-intrusive Crate, futures-task Crate, futures-util Crate, Generator Crate, generic-array Crate, gfwx Crate, gfx-auxil Crate, glsl-layout Crate, hashconsing Crate, heapless Crate, http crate, hyper Crate, Hyper Crate, iced-x86 Crate, id-map Crate, Image Crate, im Crate, insert_many Crate, internment Crate, kekbit Crate, late-static Crate, lazy-init Crate, lettre Crate, lever Crate, lexer Crate, libflate Crate, libp2p-core Crate, libp2p-deflate Crate, libpulse-binding Crate, libsbc Crate, libsecp256k1 Crate, linea Crate, linked-hash-map, lock_api Crate, lru Crate, lucet-runtime-internals Crate, magnetic Crate, marc Crate, max7301 Crate, may_queue Crate, memoffset Crate, messagepack-rs Crate, metrics-util Crate, miow Crate, mio Crate, model Crate, molecule Crate, mopa Crate, mozwire Crate, ms3d Crate, multihash Crate, multiqueue2 Crate, multiqueue Crate, nalgebra Crate, nanorand Crate, nano_arena Crate, nb-connect Crate, ncurses Crate, net2 Crate, nix Crate, noise_search Crate, obstack Crate, once_cell Crate, ordered-float crate, ordnung Crate, orion Crate, os_str_bytes Crate, outer_cgi Crate, ozone Crate, pancurses Crate, parc Crate, parse_duration Crate, pnet Crate, portaudio-rs Crate, portaudio Crate, postscript Crate, prost-types Crate, prost Crate, protobuf Crate, pyo3 Crate, quinn Crate, qwutils Crate, rand_core Crate, rand_core crate, raw-cpuid Crate, rcu_cell Crate, rdiff Crate, reffers Crate, regex, renderdoc Crate, reorder Crate, rgb crate, rio crate, rkyv Crate, rocket Crate, rulinalg Crate, rusb Crate, ruspiro-singleton Crate, rusqlite Crate, rust-embed Crate, rustls Crate, safe-transmute Crate, scottqueue Crate, scratchpad Crate, security-framework Crate, serde_cbor Crate, sha2 Crate, signal-simple Crate, simd-json Crate, simple-slab Crate, simple_asn1 Crate, sized-chunks crate, slice-deque Crate, slock Crate, smallvec Crate, socket2 Crate, sodiumoxide Crate, Spin Crate, stackvector Crate, stack Crate, stack_dst Crate, streebog Crate, string-interner Crate, syncpool Crate, sys-info Crate, tar Crate, tectonic_xdv Crate, telemetry Crate, thex Crate, through Crate, ticketed_lock Crate, Time Crate, tiny_future Crate, tiny_http Crate, tokio-rustls Crate, tokio Crate, toodee Crate, toolshed Crate, traitobject Crate, tremor-script Crate, truetype Crate, trust-dns-proto Crate, trust-dns-server Crate, try-mutex Crate, unicycle Crate, untrusted Crate, uu_od Crate, v9 Crate, va-ts Crate, vec-const Crate, ws Crate, xcb Crate, yaml-rust Crate, yottadb Crate, zeroize_derive Crate

PublishedBaseTempVulnerabilityProductExpRemCTICVE
03/09/20225.95.8regex resource consumptionregexNot DefinedOfficial Fix0.03CVE-2022-24713
01/18/20225.95.8crater-invoice crater unrestricted uploadcraterNot DefinedOfficial Fix0.08CVE-2022-0242
12/27/20215.55.3vec-const Crate memory corruptionvec-const CrateNot DefinedOfficial Fix0.04CVE-2021-45680
12/27/20215.55.3rusqlite Crate commit_hook use after freerusqlite CrateNot DefinedOfficial Fix0.03CVE-2021-45717
12/27/20215.55.3tokio Crate memory corruptiontokio CrateNot DefinedOfficial Fix0.06CVE-2021-45710
12/27/20215.55.5crypto2 Crate Chacha20 Privilege Escalationcrypto2 CrateNot DefinedNot Defined0.03CVE-2021-45709
12/27/20215.55.3nix Crate groups getgrouplist out-of-bounds writenix CrateNot DefinedOfficial Fix0.05CVE-2021-45707
12/27/20212.62.5zeroize_derive Crate information disclosurezeroize_derive CrateNot DefinedOfficial Fix0.05CVE-2021-45706
12/27/20215.55.3nanorand Crate Reference TlsWyRand memory corruptionnanorand CrateNot DefinedOfficial Fix0.03CVE-2021-45705
12/27/20215.55.3metrics-util Crate AtomicBucket<T> memory corruptionmetrics-util CrateNot DefinedOfficial Fix0.04CVE-2021-45704
12/27/20213.53.4tectonic_xdv Crate process uninitialized pointertectonic_xdv CrateNot DefinedOfficial Fix0.05CVE-2021-45703
12/27/20213.53.4ckb Crate Nervos CKB Blockchain denial of serviceckb CrateNot DefinedOfficial Fix0.04CVE-2021-45700
12/27/20215.55.3ckb Crate Nervos CKB Blockchain get_block_template Privilege Escalationckb CrateNot DefinedOfficial Fix0.00CVE-2021-45698
12/27/20215.55.3molecule Crate FixVec Privilege Escalationmolecule CrateNot DefinedOfficial Fix0.00CVE-2021-45697
12/27/20215.55.3sha2 Crate AVX2-accelerated Backend Privilege Escalationsha2 CrateNot DefinedOfficial Fix0.03CVE-2021-45696
12/27/20213.53.5rdiff Crate Window uninitialized pointerrdiff CrateNot DefinedNot Defined0.07CVE-2021-45694
12/27/20213.53.5messagepack-rs Crate deserialize_extension_others uninitialized pointermessagepack-rs CrateNot DefinedNot Defined0.03CVE-2021-45692
12/27/20213.53.5messagepack-rs Crate deserialize_string uninitialized pointermessagepack-rs CrateNot DefinedNot Defined0.03CVE-2021-45691
12/27/20213.53.5messagepack-rs Crate deserialize_binary uninitialized pointermessagepack-rs CrateNot DefinedNot Defined0.06CVE-2021-45690
12/27/20213.53.5gfx-auxil Crate read_spirv uninitialized pointergfx-auxil CrateNot DefinedNot Defined0.03CVE-2021-45689
12/27/20213.53.4ash Crate read_spv uninitialized pointerash CrateNot DefinedOfficial Fix0.09CVE-2021-45688
12/27/20213.53.5csv-sniffer Crate preamble_skipcount uninitialized pointercsv-sniffer CrateNot DefinedNot Defined0.00CVE-2021-45686
12/27/20213.53.5columnar Crate read_typed_vec uninitialized pointercolumnar CrateNot DefinedNot Defined0.06CVE-2021-45685
12/27/20213.53.5flumedb Crate read_entry uninitialized pointerflumedb CrateNot DefinedNot Defined0.00CVE-2021-45684
12/27/20213.53.5binjs_io Crate Read uninitialized pointerbinjs_io CrateNot DefinedNot Defined0.00CVE-2021-45683

308 more entries are not shown

Might our Artificial Intelligence support you?

Check our Alexa App!