CVE-2021-45690

Name of the Vulnerable Software and Affected Versions: messagepack-rs crate through 2021-01-26

Description: An issue in the messagepack-rs crate allows it to read from uninitialized memory locations during deserialization. This affects functions such as deserialize binary, deserialize string, deserialize extension others, and deserialize string primitive. When an uninitialized buffer is passed to a user-provided Read instance, it can lead to safe Read implementations reading from the uninitialized buffer, resulting in undefined behavior.

Recommendations: For the messagepack-rs crate through 2021-01-26, consider updating to a version released after 2021-01-26 to resolve the issue. As a temporary workaround, consider restricting the use of the affected deserialization functions until a patch is available. Avoid using the affected functions deserialize binary, deserialize string, deserialize extension others, and deserialize string primitive in the affected versions of the messagepack-rs crate until the issue is resolved.