CVE-2019-15550: Out of bounds read in simd-json

August 25, 2021 (updated June 13, 2023)

The affected version of this crate did not guard against accessing memory beyond the range of its input data. A pointer cast to read the data into a 256-bit register could lead to a segmentation fault when the end plus the 32 bytes (256 bit) read would overlap into the next page during string parsing. This allows an attacker to eventually crash a service. The flaw was corrected by using a padding buffer for the last read from the input. So that we are we never read over the boundary of the input data.

References

github.com/Licenser/simdjson-rs
github.com/Licenser/simdjson-rs/pull/27
github.com/advisories/GHSA-gwfj-pw2x-h6c2
nvd.nist.gov/vuln/detail/CVE-2019-15550
rustsec.org/advisories/RUSTSEC-2019-0008.html

Detect and mitigate CVE-2019-15550 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →