CVE-2020-36317 — Vulnetix

CVE-2020-36317 PUBLISHED

In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.

EPSS 0.19% · 41.0th percentile

Risk Scores

EPSS Score

0.19%

41.0th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	rustc	0, 1.15.1+dfsg0-1~exp1ubuntu2~14.04.7, 1.17.0+dfsg2-8~ubuntu0.14.04.3
Ubuntu:16.04:LTS	rustc	0, 1.7.0+dfsg1-1, 1.15.1+dfsg0-1~exp1ubuntu2~16.04.3
Ubuntu:20.04:LTS	rustc	0, 1.37.0+dfsg1+llvm-1ubuntu1, 1.38.0+dfsg0.2+llvm-0ubuntu1

Exploit Intelligence

https://github.com/rust-lang/rust/issues/78498 (nist-nvd)
https://github.com/rust-lang/rust/pull/78499 (circl)

Timeline

Oct 28, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Aug 24, 2021 EPSS Score
Oct 26, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Sep 4, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2020-36317 third-party-advisory
https://github.com/rust-lang/rust/issues/78498 third-party-advisory
https://github.com/rust-lang/rust/pull/78499 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-36317 third-party-advisory

Open in Interactive Console →