Vulnerability Description
An issue was discovered in the fruity crate through 0.2.0 for Rust. Security-relevant validation of filename extensions is plausibly affected. Methods of NSString for conversion to a string may return a partial result. Because they call CStr::from_ptr on a pointer to the string buffer, the string is terminated at the first '\0' byte, which might not be the end of the string.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fruity Project | Fruity | 0.1.0 |
References
- https://github.com/nvzqz/fruity/issues/14ExploitIssue TrackingPatch
- https://github.com/rustsec/advisory-db/pull/1102ExploitPatchThird Party Advisory
- https://rustsec.org/advisories/RUSTSEC-2021-0123.htmlExploitThird Party Advisory
- https://github.com/nvzqz/fruity/issues/14ExploitIssue TrackingPatch
- https://github.com/rustsec/advisory-db/pull/1102ExploitPatchThird Party Advisory
- https://rustsec.org/advisories/RUSTSEC-2021-0123.htmlExploitThird Party Advisory
FAQ
What is CVE-2021-43620?
CVE-2021-43620 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in the fruity crate through 0.2.0 for Rust. Security-relevant validation of filename extensions is plausibly affected. Methods of NSString for conversion to a string may return...
How severe is CVE-2021-43620?
CVE-2021-43620 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43620?
Check the references section above for vendor advisories and patch information. Affected products include: Fruity Project Fruity.