PT-2021-18545 · Unknown · Parse Duration

Published

2021-03-18

Updated

2022-07-12

CVE-2021-29932

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions parse duration crate versions through 2021-03-18

Description The issue allows attackers to cause a denial of service (CPU and memory consumption) via a duration string with a large exponent. This is possible because the parse duration::parse function uses the BigInt type along with the pow function to parse duration strings with exponents. Passing an arbitrarily big exponent makes the function process the payload for a very long time, taking up CPU and memory. This can be exploited to cause a denial of service if the function is used to process untrusted input.

Recommendations For versions through 2021-03-18, consider disabling the parse duration::parse function until a patch is available to prevent denial of service attacks via large exponent duration strings. Restrict access to untrusted input to minimize the risk of exploitation.

Fix

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

CAN-2021-1000007

CVE-2021-29932

GHSA-QPGV-G792-WH6X

RUSTSEC-2021-0041

Affected Products

Parse Duration

PT-2021-18545 · Unknown · Parse Duration

CVE-2021-29932

Weakness Enumeration

Related Identifiers

Affected Products

References · 10