CVE-2021-45705

CRITICAL9.8EPSS 0.43%

Aliased mutable references from `tls_rand` & `TlsWyRand`

Published: 6/17/2022Modified: 11/8/2023

Also known as:GHSA-p6gj-gpc8-f8xw GHSA-r57r-j98g-587fRUSTSEC-2021-0114

Description

`TlsWyRand`'s implementation of `Deref` unconditionally dereferences a raw pointer, and returns multiple mutable references to the same object, which is undefined behavior.

Affected packages (3)

crates.io/nanorand>= 0.5.0, < 0.6.1
crates.io/nanorand>= 0.5.0, < 0.6.1
crates.io/nanorand>= 0.5.0, < 0.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-45705
PATCHhttps://crates.io/crates/nanorand
PATCHhttps://github.com/Absolucy/nanorand-rs
WEBhttps://github.com/Absolucy/nanorand-rs/issues/28
WEBhttps://raw.githubusercontent.com/rustsec/advisory-db/main/crates/nanorand/RUSTSEC-2021-0114.md
WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0114.html