Vulnerable Cargo crates

Base Metricscoreseverity
overall2.5low

Type: Weakness

Status: open

Reporting Date: 2023.04.04

Some of the Rust crates possess vulnerabilies or are unmaintained. The application is at risk through these dependencies.

Description

The output of cargo audit shows:

Crate:     remove_dir_all
Version:   0.5.3
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempdir 0.3.7
    └── bleep 0.3.4
        └── bloop 0.3.4

Crate:     time
Version:   0.1.45
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Severity:  6.2 (medium)
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.45
└── chrono 0.4.24
    ├── rudderanalytics 1.1.2
    │   └── bleep 0.3.4
    │       └── bloop 0.3.4
    ├── octocrab 0.17.0
    │   └── bleep 0.3.4
    └── bleep 0.3.4

Crate:     ansi_term
Version:   0.12.1
Warning:   unmaintained
Title:     ansi_term is Unmaintained
Date:      2021-08-18
ID:        RUSTSEC-2021-0139
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
    └── hyperpolyglot 0.1.7
        └── bleep 0.3.4
            └── bloop 0.3.4

Crate:     failure
Version:   0.1.8
Warning:   unmaintained
Title:     failure is officially deprecated/unmaintained
Date:      2020-05-02
ID:        RUSTSEC-2020-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0036
Severity:  9.8 (critical)
Dependency tree:
failure 0.1.8
└── rudderanalytics 1.1.2
    └── bleep 0.3.4
        └── bloop 0.3.4

Crate:     kuchiki
Version:   0.8.1
Warning:   unmaintained
Title:     `kuchiki` is unmaintained
Date:      2023-01-21
ID:        RUSTSEC-2023-0019
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0019
Dependency tree:
kuchiki 0.8.1
├── wry 0.23.4
│   └── tauri-runtime-wry 0.12.2
│       └── tauri 1.2.4
│           └── bloop 0.3.4
└── tauri-utils 1.2.1
    ├── tauri-runtime-wry 0.12.2
    ├── tauri-runtime 0.12.1
    │   ├── tauri-runtime-wry 0.12.2
    │   └── tauri 1.2.4
    ├── tauri-macros 1.2.1
    │   └── tauri 1.2.4
    ├── tauri-codegen 1.2.1
    │   └── tauri-macros 1.2.1
    ├── tauri-build 1.2.1
    │   └── bloop 0.3.4
    └── tauri 1.2.4

Crate:     tempdir
Version:   0.3.7
Warning:   unmaintained
Title:     `tempdir` crate has been deprecated; use `tempfile` instead
Date:      2018-02-13
ID:        RUSTSEC-2018-0017
URL:       https://rustsec.org/advisories/RUSTSEC-2018-0017
Dependency tree:
tempdir 0.3.7
└── bleep 0.3.4
    └── bloop 0.3.4

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── env_logger 0.9.3
│   └── rudderanalytics 1.1.2
│       └── bleep 0.3.4
│           └── bloop 0.3.4
├── criterion 0.4.0
│   └── bleep 0.3.4
└── clap 2.34.0
    └── hyperpolyglot 0.1.7
        └── bleep 0.3.4

Crate:     failure
Version:   0.1.8
Warning:   unsound
Title:     Type confusion if __private_get_type_id__ is overridden
Date:      2019-11-13
ID:        RUSTSEC-2019-0036
URL:       https://rustsec.org/advisories/RUSTSEC-2019-0036
Severity:  9.8 (critical)

In particular the direct dependency tempdir is deprecated.

Impact

24 vulnerabilities (2 moderate, 22 high) were found.

These issues are all related to Denial of Service vulnerabilities and the project does not seem to be directly impacted. The most impactful issue could theoretically lead to a non-responsive application when a malicous repository is opened. General impact is therefore low.

Recommendation

  • Ensure updated packages when possible
  • Replace the tempdir crate with tempfile