漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
astral-tokio-tar Vulnerable to PAX Header Desynchronization
Vulnerability Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers. This issue has been patched in version 0.5.6. There are no workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
使用不兼容类型访问资源(类型混淆)
Vulnerability Title
astral-tokio-tar 安全漏洞
Vulnerability Description
astral-tokio-tar是Astral开源的一个Rust库。 astral-tokio-tar 0.5.6之前版本存在安全漏洞,该漏洞源于边界解析不一致,可能导致解释文件内容为合法tar标头。
CVSS Information
N/A
Vulnerability Type
N/A