{"id":"RUSTSEC-2020-0002","summary":"Parsing a specially crafted message can result in a stack overflow","details":"Affected versions of this crate contained a bug in which decoding untrusted\ninput could overflow the stack.\n\nOn architectures with stack probes (like x86), this can be used for denial of\nservice attacks, while on architectures without stack probes (like ARM)\noverflowing the stack is unsound and can result in potential memory corruption\n(or even RCE).\n \nThe flaw was quickly corrected by @danburkert and released in version 0.6.1.","aliases":["CVE-2020-35858","GHSA-gv73-9mwv-fwgq"],"modified":"2023-11-08T04:03:35.913705Z","published":"2020-01-16T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/prost"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2020-0002.html"},{"type":"REPORT","url":"https://github.com/danburkert/prost/issues/267"}],"affected":[{"package":{"name":"prost","ecosystem":"crates.io","purl":"pkg:cargo/prost"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.6.1"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0002.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","informational":null,"categories":["denial-of-service","memory-corruption"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}