This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate surrealdb-core

Dependencies

(87 total, 24 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 addr^0.15.60.15.6up to date
 ahash^0.8.110.8.11up to date
 arbitrary^1.3.21.4.1up to date
 argon2^0.5.20.5.3up to date
 any_ascii^0.3.20.3.2up to date
 async-recursion^1.0.51.1.1up to date
 base64^0.21.50.22.1out of date
 bcrypt^0.15.00.15.1up to date
 bincode^1.3.31.3.3up to date
 bytes^1.5.01.8.0up to date
 cedar-policy^2.4.24.2.2out of date
 async-channel^1.9.02.3.1out of date
 chrono^0.4.310.4.38up to date
 ciborium^0.2.10.2.2up to date
 dashmap^5.5.36.1.0out of date
 surrealdb-derive^0.12.00.12.0up to date
 deunicode^1.4.11.6.0up to date
 dmp^0.2.00.2.0up to date
 echodb^0.4.00.7.0out of date
 async-executor^1.8.01.13.1up to date
 ext-sort^0.1.40.1.4up to date
 foundationdb^0.8.00.9.1out of date
 fst^0.4.70.4.7up to date
 futures^0.3.290.3.31up to date
 fuzzy-matcher^0.3.70.3.7up to date
 geo^0.27.00.29.1out of date
 geo-types^0.7.120.7.13up to date
 hashbrown^0.14.50.15.1out of date
 hex^0.4.30.4.3up to date
 indxdb^0.4.00.5.0out of date
 ipnet^2.9.02.10.1up to date
 rquickjs^0.5.10.6.2out of date
 surrealdb-jsonwebtoken^8.3.0-surreal.1N/Aup to date
 lexicmp^0.1.00.1.0up to date
 linfa-linalg=0.1.00.2.0out of date
 md-5^0.10.60.10.6up to date
 nanoid^0.4.00.4.0up to date
 ndarray=0.15.60.16.1out of date
 ndarray-stats=0.5.10.6.0out of date
 nom^7.1.37.1.3up to date
 num-traits^0.2.180.2.19up to date
 num_cpus^1.16.01.16.0up to date
 object_store ⚠️^0.8.00.11.1out of date
 once_cell^1.18.01.20.2up to date
 pbkdf2^0.12.20.12.2up to date
 pharos^0.5.30.5.3up to date
 phf^0.11.20.11.2up to date
 pin-project-lite^0.2.130.2.15up to date
 quick_cache^0.4.00.6.9out of date
 radix_trie^0.2.10.2.1up to date
 rand^0.8.50.8.5up to date
 reblessive^0.3.00.4.1out of date
 regex^1.10.21.11.1up to date
 regex-syntax^0.8.20.8.5up to date
 reqwest^0.11.220.12.9out of date
 revision^0.7.00.10.0out of date
 ring^0.17.70.17.8up to date
 rmpv^1.0.11.3.0up to date
 roaring^0.10.20.10.6up to date
 rocksdb^0.21.00.22.0out of date
 rust-stemmers^1.2.01.2.0up to date
 rust_decimal^1.33.11.36.0up to date
 scrypt^0.11.00.11.0up to date
 semver^1.0.201.0.23up to date
 serde^1.0.1931.0.215up to date
 serde_json^1.0.1081.0.132up to date
 sha1^0.10.60.10.6up to date
 sha2^0.10.80.10.8up to date
 snap^1.1.01.1.1up to date
 speedb^0.0.40.0.5out of date
 storekey^0.5.00.5.0up to date
 surrealkv^0.1.50.5.1out of date
 surrealml-core^0.1.10.1.3up to date
 tempfile^3.10.13.14.0up to date
 thiserror^1.0.502.0.3out of date
 surrealdb-tikv-client^0.2.0-surreal.2N/Aup to date
 tokio^1.34.01.41.1up to date
 tokio-tungstenite^0.20.10.24.0out of date
 tracing^0.1.400.1.40up to date
 trice^0.4.00.4.0up to date
 ulid^1.1.01.1.3up to date
 unicase^2.7.02.8.0up to date
 url^2.5.02.5.3up to date
 uuid^1.6.11.11.0up to date
 wasm-bindgen-futures^0.4.390.4.45up to date
 wasmtimer^0.2.00.4.0out of date
 ws_stream_wasm^0.7.40.7.4up to date

Dev dependencies

(11 total, 4 outdated)

CrateRequiredLatestStatus
 criterion^0.5.10.5.1up to date
 env_logger^0.10.10.11.5out of date
 flate2^1.0.281.0.35up to date
 pprof^0.13.00.14.0out of date
 serial_test^2.0.03.2.0out of date
 temp-dir^0.1.110.1.14up to date
 test-log^0.2.130.2.16up to date
 time^0.3.300.3.36up to date
 tokio^1.34.01.41.1up to date
 tracing-subscriber^0.3.180.3.18up to date
 wiremock^0.5.220.6.2out of date

Security Vulnerabilities

object_store: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files

RUSTSEC-2024-0358

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.

On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity. This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer.

Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue.

Details

When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs.

Thanks to Paul Hatcherian for reporting this vulnerability