This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate rustimate

Dependencies

(29 total, 10 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-http ⚠️^1.0.13.2.2out of date
 actix-rt^1.0.02.7.0out of date
 actix-server^1.0.12.1.1out of date
 actix-service^1.0.12.0.2out of date
 actix-session^0.3.00.7.2out of date
 actix-utils^1.0.43.0.0out of date
 actix-web^2.0.04.2.1out of date
 actix-web-codegen^0.2.04.1.0out of date
 anyhow^1.0.261.0.65up to date
 app_dirs2^2.0.42.5.4up to date
 arrayvec^0.5.10.7.2out of date
 bincode^1.2.11.3.3up to date
 bitflags^1.2.11.3.2up to date
 clap^2.33.04.0.9out of date
 failure^0.1.60.1.8up to date
 flate2^1.0.131.0.24up to date
 futures^0.3.10.3.24up to date
 http^0.2.00.2.8up to date
 iovec^0.1.40.1.4up to date
 libc^0.2.660.2.134up to date
 nodrop^0.1.140.1.14up to date
 ryu^1.0.21.0.11up to date
 serde_json^1.0.441.0.85up to date
 slog^2.5.22.7.0up to date
 slog-async^2.3.02.7.0up to date
 slog-json^2.3.02.6.1up to date
 slog-term^2.4.22.9.0up to date
 tokio-reactor^0.1.110.1.12up to date
 tokio-sync^0.1.70.1.8up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 winres^0.10.1.12up to date

Crate rustimate-controllers

Dependencies

(18 total, 9 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 actix^0.9.00.13.0out of date
 actix-http ⚠️^1.0.13.2.2out of date
 actix-service^1.0.12.0.2out of date
 actix-session^0.3.00.7.2out of date
 actix-web^2.0.04.2.1out of date
 actix-web-actors^2.0.04.1.0out of date
 anyhow^1.0.261.0.65up to date
 bytes^0.5.31.2.1out of date
 chrono ⚠️^0.4.100.4.22maybe insecure
 derive_more^0.99.20.99.17up to date
 futures^0.3.10.3.24up to date
 maud^0.21.00.24.0out of date
 mime^0.3.140.3.16up to date
 mime_guess^2.0.12.0.4up to date
 serde^1.0.1041.0.145up to date
 serde_json^1.0.441.0.85up to date
 slog^2.5.22.7.0up to date
 uuid^0.8.11.1.2out of date

Crate rustimate-core

Dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.65up to date
 bincode^1.2.11.3.3up to date
 derive_more^0.99.20.99.17up to date
 serde^1.0.1041.0.145up to date
 serde_json^1.0.441.0.85up to date
 uuid^0.8.11.1.2out of date

Build dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 built^0.3.20.5.1out of date

Crate rustimate-service

Dependencies

(6 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.65up to date
 chrono ⚠️^0.4.90.4.22maybe insecure
 serde^1.0.1041.0.145up to date
 serde_json^1.0.441.0.85up to date
 slog^2.5.22.7.0up to date
 uuid^0.8.11.1.2out of date

Crate rustimate-templates

Dependencies

(5 total, 2 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.65up to date
 maud^0.21.00.24.0out of date
 num_cpus^1.11.11.13.1up to date
 serde^1.0.1041.0.145up to date
 uuid^0.8.11.1.2out of date

Crate rustimate-assets

Dependencies

(1 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 rust-embed ⚠️^5.2.06.4.1out of date

Crate rustimate-client

Dependencies

(9 total, 2 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.65up to date
 console_error_panic_hook^0.1.60.1.7up to date
 instant^0.1.20.1.12up to date
 js-sys^0.3.330.3.60up to date
 maud^0.21.00.24.0out of date
 uuid^0.8.11.1.2out of date
 wasm-bindgen^0.2.560.2.83up to date
 wasm-bindgen-futures^0.4.60.4.33up to date
 web-sys^0.3.330.3.60up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 wasm-bindgen-test^0.3.60.3.33up to date

Security Vulnerabilities

actix-http: Use-after-free in BodyStream due to lack of pinning

RUSTSEC-2020-0048

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the trait MessageBody require Unpin and making poll_next() function accept Pin<&mut Self> instead of &mut self.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

actix-http: Potential request smuggling capabilities due to lack of input validation

RUSTSEC-2021-0081

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.

rust-embed: RustEmbed generated `get` method allows for directory traversal when reading files from disk

RUSTSEC-2021-0126

When running in debug mode and the debug-embed (off by default) feature is not enabled, the generated get method does not check that the input path is a child of the folder given.

This allows attackers to read arbitrary files in the file system if they have control over the filename given. The following code will print the contents of your /etc/passwd if adjusted with a correct number of ../s depending on where it is run from.

#[derive(rust_embed::RustEmbed)]
#[folder = "src/"]
pub struct Asset;

fn main() {
    let d = Asset::get("../../../etc/passwd").unwrap().data;
    println!("{}", String::from_utf8_lossy(&d));
}

The flaw was corrected by canonicalizing the input filename and ensuring that it starts with the canonicalized folder path.