Home > Vulnerability Database > WS-2022-0464

Mend.io Vulnerability Database

WS-2022-0464

Good to know:

Date: November 3, 2024

This issue and vector is similar to RUSTSEC-2020-0029 of rgb crate which mozjpeg depends on. Affected versions of mozjpeg crate allow creating instances of any type T from bytes, and do not correctly constrain T to the types for which it is safe to do so. Examples of safety violation possible for a type T: T contains a reference type, and it constructs a pointer to an invalid, arbitrary memory address. T requires a safety and/or validity invariant for its construction that may be violated. The issue was fixed in 0.8.19 by using safer types and involving rgb dependency bump.

Language: RUST

Severity Score

5.9

Related Resources (7)

Url: https://github.com/ImageOptim/mozjpeg-rust/commit/97623931a5e9c7b2abc0582532f6f5a122580cf7

Url: https://github.com/ImageOptim/mozjpeg-rust/issues/10

Url: https://crates.io/crates/mozjpeg

Url: https://rustsec.org/advisories/RUSTSEC-2020-0029.html

Url: https://rustsec.org/advisories/RUSTSEC-2020-0165.html

Url: https://github.com/kornelski/rust-rgb/issues/35

Url: https://www.mend.io/vulnerability-database/WS-2022-0464

Severity Score

5.9

Weakness Type (CWE)

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-843

Top Fix

Upgrade Version

Upgrade to version mozjpeg - 0.8.19

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0464

Good to know:

Date: November 3, 2024

Language: RUST

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?