{"id":"RUSTSEC-2021-0122","summary":"Generated code can read and write out of bounds in safe code","details":"Code generated by flatbuffers' compiler is `unsafe` but not marked as such.\nSee https://github.com/google/flatbuffers/issues/6627 for details.\n\nFor example, if generated code is used to decode malformed or untrusted input,\nundefined behavior (and thus security vulnerabilities) is possible even without\nthe use of the `unsafe` keyword, [violating the the meaning of \"safe\"](https://doc.rust-lang.org/std/keyword.unsafe.html#the-different-meanings-of-unsafe) code;\n\nAll users that use generated code by `flatbuffers` compiler are recommended to:\n1. not expose flatbuffer generated code as part of their public APIs\n2. audit their code and look for any usage of `follow`, `push`, or any method that uses them\n   (e.g. `self_follow`).\n3. Carefully go through the crates' documentation to understand which \"safe\" APIs are not\n   intended to be used.","aliases":["GHSA-3jch-9qgp-4844"],"modified":"2023-11-08T04:14:40.953991Z","published":"2021-10-31T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/flatbuffers"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0122.html"},{"type":"REPORT","url":"https://github.com/google/flatbuffers/issues/6627"}],"affected":[{"package":{"name":"flatbuffers","ecosystem":"crates.io","purl":"pkg:cargo/flatbuffers"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"22.9.29"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0122.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","categories":[],"informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}