This project contains known security vulnerabilities. Find detailed information at the bottom.
qni-connector-ws-rs(5 total, 3 outdated, 1 insecure, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| log | ^0.4.6 | 0.4.27 | up to date |
| openssl ⚠️ | ^0.10 | 0.10.73 | maybe insecure |
| qni-core-rs | ^0.2.4 | 0.3.2 | out of date |
| simple-error | ^0.1.13 | 0.3.1 | out of date |
| ws ⚠️ | ^0.7.9 | 0.9.2 | insecure |
ws: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memoryAffected versions of this crate did not properly check and cap the growth of the outgoing buffer.
This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.
The flaw was corrected in the parity-ws fork (>=0.10.0) by disconnecting a client when the buffer runs full.
openssl: Use-After-Free in `Md::fetch` and `Cipher::fetch`When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.
In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).
The maintainers thank quitbug for reporting this vulnerability to us.