Sequoia OpenPGP Out-of-Bounds Access Vulnerability Leading to Denial-of-Service
Vulnerability
A vulnerability in the Sequoia OpenPGP crate for Rust, affecting versions prior to 1.1.1, 1.2.0 through 1.8.0, and 1.9.0 through 1.16.0, allows for out-of-bounds array access, causing a panic. This issue arises from several bugs where attacker-controlled input can manipulate parsers into using invalid array indices. While Rust's safety mechanisms prevent memory corruption by panicking, this behavior can be exploited to crash applications using the affected library, leading to a denial-of-service condition.
Impact
Exploitation of this vulnerability causes a panic in the application, leading to a crash. While this creates a denial-of-service condition, it does not allow an attacker to read from or write to the application's memory space.
Remediation
Users can upgrade to Sequoia OpenPGP versions 1.1.1, 1.8.1, or 1.16.0 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.