Описание
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
A stack exhaustion flaw has been discovered in the rust time crate. When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Confidential Compute Attestation | build-of-trustee/trustee-rhel9 | Fix deferred | ||
| Confidential Compute Attestation | confidential-compute-attestation-tech-preview/trustee-rhel9 | Fix deferred | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-monitor-rhel9 | Fix deferred | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-operator-bundle | Fix deferred | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-builder-rhel9 | Fix deferred | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-payload-rhel9 | Fix deferred | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-rhel9-operator | Fix deferred | ||
| Lightspeed Core | lightspeed-core/dataverse-exporter-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/cluster-logging-operator-bundle | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/cluster-logging-rhel9-operator | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
time provides date and time handling in Rust. From 0.3.6 to before 0.3 ...
EPSS
5.9 Medium
CVSS3