CVE-2022-31100: Reachable Assertion in rulex

June 21, 2022 (updated June 29, 2022)

When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.

This is a security concern for you, if

your service parses untrusted rulex expressions (expressions provided by an untrusted user), and
your service becomes unavailable when the thread running rulex panics.

References

github.com/advisories/GHSA-8v9w-p43c-r885
github.com/rulex-rs/rulex
github.com/rulex-rs/rulex/commit/fac6d58b25c6f9f8c0a6cdc4dec75b37b219f1d6
github.com/rulex-rs/rulex/security/advisories/GHSA-8v9w-p43c-r885
nvd.nist.gov/vuln/detail/CVE-2022-31100
rustsec.org/advisories/RUSTSEC-2022-0031.html

Detect and mitigate CVE-2022-31100 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →