CVE-2020-35918: Unexpected panic when decoding tokens in branca

August 25, 2021 (updated June 13, 2023)

Prior to 0.10.0 it was possible to have both decoding functions panic unexpectedly, by supplying tokens with an incorrect base62 encoding. The documentation stated that an error should have been reported instead.

References

github.com/advisories/GHSA-c9rv-3jmq-527w
github.com/return/branca
github.com/return/branca/commit/7da3274bd99b05dce9c3f9b4b129d0145c71820b
github.com/return/branca/issues/24
github.com/tuupola/branca-spec/issues/22
nvd.nist.gov/vuln/detail/CVE-2020-35918
rustsec.org/advisories/RUSTSEC-2020-0075.html

Detect and mitigate CVE-2020-35918 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →