{"id":"RUSTSEC-2021-0067","summary":"Memory access due to code generation flaw in Cranelift module","details":"There is a bug in 0.73.0 of the Cranelift x64 backend that can create a\nscenario that could result in a potential sandbox escape in a WebAssembly\nmodule. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1\nor 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0\nshould update to 0.73.1 or 0.74 if they were not using the old default backend.\n\nMore details can be found in the GitHub Security Advisory at:\n\n\u003chttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5\u003e","aliases":["CVE-2021-32629","GHSA-hpqh-2wqx-7qp5","PYSEC-2021-87"],"modified":"2023-11-08T04:05:55.118129Z","published":"2021-05-21T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/cranelift-codegen"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0067.html"},{"type":"ADVISORY","url":"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5"}],"affected":[{"package":{"name":"cranelift-codegen","ecosystem":"crates.io","purl":"pkg:cargo/cranelift-codegen"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.73.1"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":["x86"]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0067.json","informational":null,"categories":["code-execution","memory-corruption","memory-exposure"],"cvss":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}