CVE-2020-35877

Vulnerability

Details

The ozone crate, a pure-Rust key-value store inspired by std::collections::HashMap [3], contains multiple memory safety issues. According to the RustSec advisory [2], these include out-of-bound access and dropping of uninitialized memory. The CVE description [1] confirms that memory safety is violated due to out-of-bounds access. These flaws exist in all versions of the crate up to and including the last commit before July 4, 2020.

Exploitation

The vulnerabilities are reachable without authentication or user interaction, as the crate is intended for use as a library in Rust applications. An attacker who can control input to the affected functions (e.g., through crafted keys or values) could trigger the out-of-bounds reads/writes or the dropping of uninitialized memory. The attack vector is network-based if the library is used in a networked service, but local exploitation is also possible.

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to read sensitive data, corrupt memory, or execute arbitrary code. The CVSS score is 9.8 (Critical) with high impacts on confidentiality, integrity, and availability [2].

Mitigation

As of the advisory publication, no patched versions of the ozone crate exist [2]. The crate appears to be unmaintained; users are advised to avoid using it or to migrate to alternative key-value stores. The vulnerabilities are also tracked as CVE-2020-35878 and two GitHub Security Advisories [2].