GHSA-wwq9-3cpr-mm53

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwq9-3cpr-mm53
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-wwq9-3cpr-mm53/GHSA-wwq9-3cpr-mm53.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-wwq9-3cpr-mm53
Related
Published
2024-12-04T18:29:15Z
Modified
2024-12-04T18:29:15Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Borsh serialization of HashMap is non-canonical
Details

The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding.

This can result in consensus splits and cause equivalent objects to be considered distinct.

This was patched in 0.15.1.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-04T18:29:15Z"
}
References

Affected packages

crates.io / hashbrown

Package

Name
hashbrown
View open source insights on deps.dev
Purl
pkg:cargo/hashbrown

Affected ranges

Type
SEMVER
Events
Introduced
0.15.0
Fixed
0.15.1