Description
Vulnerable Library - vergen-7.4.3.crate
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (vergen version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-37434 |  High |
9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2018-25032 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| WS-2020-0368 |  Medium |
6.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-37434
Vulnerable Libraries - libz-sys-1.1.8.crate, libgit2-sys-0.13.4+1.4.2.crate
libz-sys-1.1.8.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download
Dependency Hierarchy:
- vergen-7.4.3.crate (Root Library)
- git2-0.14.4.crate
- libgit2-sys-0.13.4+1.4.2.crate
- ❌ libz-sys-1.1.8.crate (Vulnerable Library)
- libgit2-sys-0.13.4+1.4.2.crate
- git2-0.14.4.crate
libgit2-sys-0.13.4+1.4.2.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download
Dependency Hierarchy:
- vergen-7.4.3.crate (Root Library)
- git2-0.14.4.crate
- ❌ libgit2-sys-0.13.4+1.4.2.crate (Vulnerable Library)
- git2-0.14.4.crate
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Found in base branch: main
Vulnerability Details
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Publish Date: 2022-08-05
URL: CVE-2022-37434
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2018-25032
Vulnerable Libraries - libgit2-sys-0.13.4+1.4.2.crate, libz-sys-1.1.8.crate
libgit2-sys-0.13.4+1.4.2.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download
Dependency Hierarchy:
- vergen-7.4.3.crate (Root Library)
- git2-0.14.4.crate
- ❌ libgit2-sys-0.13.4+1.4.2.crate (Vulnerable Library)
- git2-0.14.4.crate
libz-sys-1.1.8.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download
Dependency Hierarchy:
- vergen-7.4.3.crate (Root Library)
- git2-0.14.4.crate
- libgit2-sys-0.13.4+1.4.2.crate
- ❌ libz-sys-1.1.8.crate (Vulnerable Library)
- libgit2-sys-0.13.4+1.4.2.crate
- git2-0.14.4.crate
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Found in base branch: main
Vulnerability Details
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Publish Date: 2022-03-25
URL: CVE-2018-25032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Release Date: 2022-03-25
Fix Resolution: libstd-rs - 1.57.0;bioconductor-netreg - 1.13.1;tcl - 8.6.11;sudo - 1.8.32;bjam-native - 1.74.0;ccache - 4.1,3.3.4;libgit2 - 1.3.0;cmake - 3.19.5,3.7.2,3.7.0,3.22.0,3.17.3;slamdunk - 0.4.0;rsync - 3.2.1;cmake-native - 3.15.5,3.18.4,3.17.3,3.22.0,3.7.0;mentalist - 0.2.3;ghostscript - 9.55.0
WS-2020-0368
Vulnerable Libraries - libz-sys-1.1.8.crate, libgit2-sys-0.13.4+1.4.2.crate
libz-sys-1.1.8.crate
Low-level bindings to the system libz library (also known as zlib).
Library home page: https://crates.io/api/v1/crates/libz-sys/1.1.8/download
Dependency Hierarchy:
- vergen-7.4.3.crate (Root Library)
- git2-0.14.4.crate
- libgit2-sys-0.13.4+1.4.2.crate
- ❌ libz-sys-1.1.8.crate (Vulnerable Library)
- libgit2-sys-0.13.4+1.4.2.crate
- git2-0.14.4.crate
libgit2-sys-0.13.4+1.4.2.crate
Native bindings to the libgit2 library
Library home page: https://crates.io/api/v1/crates/libgit2-sys/0.13.4+1.4.2/download
Dependency Hierarchy:
- vergen-7.4.3.crate (Root Library)
- git2-0.14.4.crate
- ❌ libgit2-sys-0.13.4+1.4.2.crate (Vulnerable Library)
- git2-0.14.4.crate
Found in HEAD commit: ff1328545be7a0c82f80f4b3686f867ef0be5adc
Found in base branch: main
Vulnerability Details
Zlib in versions v0.8 to v1.2.11 is vulnerable to use-of-uninitialized-value in inflate.
There are a couple of places in inflate() where UPDATE is called with state->check as its first parameter, without a guarantee that this value has been initialized (state comes from a ZALLOC in inflateInit). This causes use of uninitialized check value.
Publish Date: 2020-02-22
URL: WS-2020-0368
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0368
Release Date: 2020-02-22
Fix Resolution: cmake-native - 3.15.5;binutils-cross-testsuite - 2.35;libstd-rs - 1.57.0;gdb - 11.1,9.2;tcl - 8.6.11;sudo - 1.8.32;binutils - 2.35,2.28;ccache - 3.3.3,4.1;libgit2 - 1.3.0;cmake - 3.19.5,3.7.0,3.7.2,3.22.0,3.17.3;cmake-native - 3.17.3,3.7.0,3.22.0,3.18.4;ghostscript - 9.55.0