This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate rustimate

Dependencies

(29 total, 12 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix-http ⚠️^1.0.13.9.0out of date
 actix-rt^1.0.02.10.0out of date
 actix-server^1.0.12.5.0out of date
 actix-service^1.0.12.0.2out of date
 actix-session^0.3.00.10.1out of date
 actix-utils^1.0.43.0.1out of date
 actix-web^2.0.04.9.0out of date
 actix-web-codegen^0.2.04.3.0out of date
 anyhow^1.0.261.0.94up to date
 app_dirs2^2.0.42.5.5up to date
 arrayvec^0.5.10.7.6out of date
 bincode^1.2.11.3.3up to date
 bitflags^1.2.12.6.0out of date
 clap^2.33.04.5.23out of date
 failure^0.1.60.1.8up to date
 flate2^1.0.131.0.35up to date
 futures^0.3.10.3.31up to date
 http^0.2.01.2.0out of date
 iovec^0.1.40.1.4up to date
 libc^0.2.660.2.169up to date
 nodrop^0.1.140.1.14up to date
 ryu^1.0.21.0.18up to date
 serde_json^1.0.441.0.134up to date
 slog^2.5.22.7.0up to date
 slog-async^2.3.02.8.0up to date
 slog-json^2.3.02.6.1up to date
 slog-term^2.4.22.9.1up to date
 tokio-reactor^0.1.110.1.12up to date
 tokio-sync^0.1.70.1.8up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 winres^0.10.1.12up to date

Crate rustimate-controllers

Dependencies

(18 total, 10 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 actix^0.9.00.13.5out of date
 actix-http ⚠️^1.0.13.9.0out of date
 actix-service^1.0.12.0.2out of date
 actix-session^0.3.00.10.1out of date
 actix-web^2.0.04.9.0out of date
 actix-web-actors^2.0.04.3.1+deprecatedout of date
 anyhow^1.0.261.0.94up to date
 bytes^0.5.31.9.0out of date
 chrono ⚠️^0.4.100.4.39maybe insecure
 derive_more^0.99.21.0.0out of date
 futures^0.3.10.3.31up to date
 maud^0.21.00.26.0out of date
 mime^0.3.140.3.17up to date
 mime_guess^2.0.12.0.5up to date
 serde^1.0.1041.0.216up to date
 serde_json^1.0.441.0.134up to date
 slog^2.5.22.7.0up to date
 uuid^0.8.11.11.0out of date

Crate rustimate-core

Dependencies

(6 total, 2 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.94up to date
 bincode^1.2.11.3.3up to date
 derive_more^0.99.21.0.0out of date
 serde^1.0.1041.0.216up to date
 serde_json^1.0.441.0.134up to date
 uuid^0.8.11.11.0out of date

Build dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 built^0.3.20.7.5out of date

Crate rustimate-service

Dependencies

(6 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.94up to date
 chrono ⚠️^0.4.90.4.39maybe insecure
 serde^1.0.1041.0.216up to date
 serde_json^1.0.441.0.134up to date
 slog^2.5.22.7.0up to date
 uuid^0.8.11.11.0out of date

Crate rustimate-templates

Dependencies

(5 total, 2 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.94up to date
 maud^0.21.00.26.0out of date
 num_cpus^1.11.11.16.0up to date
 serde^1.0.1041.0.216up to date
 uuid^0.8.11.11.0out of date

Crate rustimate-assets

Dependencies

(1 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 rust-embed ⚠️^5.2.08.5.0out of date

Crate rustimate-client

Dependencies

(9 total, 2 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.261.0.94up to date
 console_error_panic_hook^0.1.60.1.7up to date
 instant^0.1.20.1.13up to date
 js-sys^0.3.330.3.76up to date
 maud^0.21.00.26.0out of date
 uuid^0.8.11.11.0out of date
 wasm-bindgen^0.2.560.2.99up to date
 wasm-bindgen-futures^0.4.60.4.49up to date
 web-sys^0.3.330.3.76up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 wasm-bindgen-test^0.3.60.3.49up to date

Security Vulnerabilities

actix-http: Use-after-free in BodyStream due to lack of pinning

RUSTSEC-2020-0048

Affected versions of this crate did not require the buffer wrapped in BodyStream to be pinned, but treated it as if it had a fixed location in memory. This may result in a use-after-free.

The flaw was corrected by making the trait MessageBody require Unpin and making poll_next() function accept Pin<&mut Self> instead of &mut self.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

actix-http: Potential request smuggling capabilities due to lack of input validation

RUSTSEC-2021-0081

Affected versions of this crate did not properly detect invalid requests that could allow HTTP/1 request smuggling (HRS) attacks when running alongside a vulnerable front-end proxy server. This can result in leaked internal and/or user data, including credentials, when the front-end proxy is also vulnerable.

Popular front-end proxies and load balancers already mitigate HRS attacks so it is recommended that they are also kept up to date; check your specific set up. You should upgrade even if the front-end proxy receives exclusively HTTP/2 traffic and connects to the back-end using HTTP/1; several downgrade attacks are known that can also expose HRS vulnerabilities.

rust-embed: RustEmbed generated `get` method allows for directory traversal when reading files from disk

RUSTSEC-2021-0126

When running in debug mode and the debug-embed (off by default) feature is not enabled, the generated get method does not check that the input path is a child of the folder given.

This allows attackers to read arbitrary files in the file system if they have control over the filename given. The following code will print the contents of your /etc/passwd if adjusted with a correct number of ../s depending on where it is run from.

#[derive(rust_embed::RustEmbed)]
#[folder = "src/"]
pub struct Asset;

fn main() {
    let d = Asset::get("../../../etc/passwd").unwrap().data;
    println!("{}", String::from_utf8_lossy(&d));
}

The flaw was corrected by canonicalizing the input filename and ensuring that it starts with the canonicalized folder path.