CVE-2021-45691

Name of the Vulnerable Software and Affected Versions: messagepack-rs crate through 2021-01-26

Description: An issue was discovered in the messagepack-rs crate where certain functions may read from uninitialized memory locations, leading to undefined behavior. The affected functions include deserialize binary, deserialize string, deserialize extension others, and deserialize string primitive. These functions pass an uninitialized buffer to a user-provided Read instance, which can result in safe Read implementations reading from the uninitialized buffer.

Recommendations: For the messagepack-rs crate through 2021-01-26, consider disabling the deserialize binary, deserialize string, deserialize extension others, and deserialize string primitive functions until a patch is available to prevent reading from uninitialized memory locations. Restrict access to these functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.