{"id":"RUSTSEC-2022-0031","summary":"Panic due to improper UTF-8 indexing","details":"When parsing untrusted rulex expressions, rulex may panic, possibly enabling\na Denial of Service attack. This happens when the expression contains a multi-\nbyte UTF-8 code point in a string literal or after a backslash, because rulex\ntries to slice into the code point and panics as a result.\n\nThe flaw was corrected in commits `fac6d58b25` and `330b3534e7` by using\n`len_utf8()` to derive character width in bytes instead of assuming ASCII\nencoding of 1 byte per char.","aliases":["CVE-2022-31100","GHSA-8v9w-p43c-r885"],"modified":"2023-11-08T04:09:26.020407Z","published":"2022-05-21T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rulex"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0031.html"},{"type":"ADVISORY","url":"https://github.com/rulex-rs/rulex/security/advisories/GHSA-8v9w-p43c-r885"}],"affected":[{"package":{"name":"rulex","ecosystem":"crates.io","purl":"pkg:cargo/rulex"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.3"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"categories":["denial-of-service"],"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0031.json"}}],"schema_version":"1.7.3"}