Hexilee

Name of the Vulnerable Software and Affected Versions: bronzedb-protocol crate versions through 2021-01-03 Description: An issue in the bronzedb-protocol crate allows ReadKVExt to read from uninitialized memory locations. Affected versions of this crate pass an uninitialized buffer to a user-provided `Read` implementation. Arbitrary `Read` implementations can read from the uninitialized buffer, resulting in memory exposure, and can also return an incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. Recommendations: For versions through 2021-01-03, consider restricting the use of the `Read` implementation to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the `Read` implementation with uninitialized buffers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.