Description
Vulnerable Library - temporal-sdk-core-api-0.1.0
Path to dependency file: /temporalio/bridge/Cargo.toml
Path to vulnerable library: /temporalio/bridge/Cargo.toml
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (temporal-sdk-core-api version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0366 |  Medium |
5.5 | rustix-0.38.8.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0366
Vulnerable Library - rustix-0.38.8.crate
Safe Rust bindings to POSIX/Unix/Linux/Winsock2-like syscalls
Library home page: https://static.crates.io/crates/rustix/rustix-0.38.8.crate
Path to dependency file: /temporalio/bridge/Cargo.toml
Path to vulnerable library: /temporalio/bridge/Cargo.toml
Dependency Hierarchy:
- temporal-sdk-core-api-0.1.0 (Root Library)
- temporal-sdk-core-protos-0.1.0
- prost-wkt-types-0.4.2.crate
- prost-build-0.11.9.crate
- tempfile-3.8.0.crate
- ❌ rustix-0.38.8.crate (Vulnerable Library)
- tempfile-3.8.0.crate
- prost-build-0.11.9.crate
- prost-wkt-types-0.4.2.crate
- temporal-sdk-core-protos-0.1.0
Found in base branch: main
Vulnerability Details
rustix's rustix::fs::Dir iterator with the linux_raw backend can cause memory explosion
Publish Date: 2023-10-18
URL: WS-2023-0366
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c827-hfw6-qwvm
Release Date: 2023-10-18
Fix Resolution: rustix - 0.35.15,0.36.16,0.37.25,0.38.19