CVE-2020-36323
First published: Wed Apr 14 2021(Updated: )
In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rust-lang Rust | <1.52.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rust-lang/rust/issues/80335
- https://github.com/rust-lang/rust/pull/81728
- https://github.com/rust-lang/rust/pull/81728#issuecomment-821549174
- https://github.com/rust-lang/rust/pull/81728#issuecomment-824904190
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFUO3URYCO73D2Q4WYJBWAMJWGGVXQO4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZG65GUW6Z2CYOQHF7T3TB5CZKIX6ZJE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZG65GUW6Z2CYOQHF7T3TB5CZKIX6ZJE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUO3URYCO73D2Q4WYJBWAMJWGGVXQO4/
Frequently Asked Questions
What is CVE-2020-36323?
CVE-2020-36323 is a vulnerability in the Rust standard library before version 1.52.0 that can cause uninitialized bytes to be exposed or the program to crash if the borrowed string changes after its length is checked.
How does CVE-2020-36323 affect Rust?
CVE-2020-36323 affects Rust versions before 1.52.0 by introducing an optimization for joining strings that can lead to uninitialized bytes being exposed or potentially crashing the program.
What is the severity of CVE-2020-36323?
CVE-2020-36323 has a severity rating of 8.2 (high).
How can I fix CVE-2020-36323?
To fix CVE-2020-36323, update Rust to version 1.52.0 or later.
Are there any references for CVE-2020-36323?
Yes, you can find more information about CVE-2020-36323 at the following references: [GitHub Issue](https://github.com/rust-lang/rust/issues/80335), [Pull Request](https://github.com/rust-lang/rust/pull/81728), [Comment](https://github.com/rust-lang/rust/pull/81728#issuecomment-821549174).
- collector/nvd-index
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/rust-lang
- canonical/rust-lang rust
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34