Vulnerability Details CVE-2020-26235
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.5%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 3.5
References
- https://crates.io/crates/time/0.2.23
- https://github.com/time-rs/time/issues/293
- https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396
- https://crates.io/crates/time/0.2.23
- https://github.com/time-rs/time/issues/293
- https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396
Products affected by CVE-2020-26235
-
cpe:2.3:a:time_project:time:0.2.10
-
cpe:2.3:a:time_project:time:0.2.11
-
cpe:2.3:a:time_project:time:0.2.12
-
cpe:2.3:a:time_project:time:0.2.13
-
cpe:2.3:a:time_project:time:0.2.14
-
cpe:2.3:a:time_project:time:0.2.15
-
cpe:2.3:a:time_project:time:0.2.16
-
cpe:2.3:a:time_project:time:0.2.17
-
cpe:2.3:a:time_project:time:0.2.18
-
cpe:2.3:a:time_project:time:0.2.19
-
cpe:2.3:a:time_project:time:0.2.20
-
cpe:2.3:a:time_project:time:0.2.21
-
cpe:2.3:a:time_project:time:0.2.22
-
cpe:2.3:a:time_project:time:0.2.7
-
cpe:2.3:a:time_project:time:0.2.8
-
cpe:2.3:a:time_project:time:0.2.9
-
cpe:2.3:o:microsoft:windows:-