CVE-2021-27378: Incorrect check on buffer length in rand_core
(updated )
An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. The vulnerability was introduced in v0.6.0. The advisory doesn’t apply to earlier minor version numbers.
Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.
References
- github.com/advisories/GHSA-w7j2-35mf-95p7
- github.com/rust-random/rand
- github.com/rust-random/rand/compare/0.6.0...rand_core-0.6.2
- github.com/rust-random/rand/compare/0.6.0...rand_core-0.6.2
- github.com/rust-random/rand/pull/1096
- nvd.nist.gov/vuln/detail/CVE-2021-27378
- rustsec.org/advisories/RUSTSEC-2021-0023.html
Code Behaviors & Features
Detect and mitigate CVE-2021-27378 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →