VYPR

apk package

wolfi/cargo-audit-doc

pkg:apk/wolfi/cargo-audit-doc

Vulnerabilities (12)

  • CVE-2025-58160LowAug 29, 2025
    affected < 0.21.2-r7fixed 0.21.2-r7

    tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i

  • CVE-2024-12224May 30, 2025
    affected < 0.21.0-r3fixed 0.21.0-r3

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2025-4574MedMay 13, 2025
    affected < 0.21.2-r3fixed 0.21.2-r3

    In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.21.2-r4fixed 0.21.2-r4

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2025-22620MedJan 20, 2025
    affected < 0.21.2-r0fixed 0.21.2-r0

    gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject

  • CVE-2024-45405MedSep 6, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolv

  • CVE-2024-45305LowSep 2, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if

  • CVE-2024-35197MedMay 23, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite

  • CVE-2024-35186HigMay 23, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads

  • CVE-2024-32884MedApr 26, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, b

  • CVE-2024-32650HigApr 19, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete

  • CVE-2024-27308Mar 6, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. F