Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-j9sg-q7t8-myem
Summary
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled with LLVM 16 which causes some writes, which are critical for correctness, to be optimized away. Vulnerable versions of Wasmtime compiled with Rust 1.70, which is currently in beta, or later are known to have incorrectly compiled functions. Versions of Wasmtime compiled with the current Rust stable release, 1.69, and prior are not known at this time to have any issues, but can theoretically exhibit potential issues.

The underlying problem is that Wasmtime's runtime state for an instance involves a Rust-defined structure called `Instance` which has a trailing `VMContext` structure after it. This `VMContext` structure has a runtime-defined layout that is unique per-module. This representation cannot be expressed with safe code in Rust so `unsafe` code is required to maintain this state. The code doing this, however, has methods which take `&self` as an argument but modify data in the `VMContext` part of the allocation. This means that pointers derived from `&self` are mutated. This is typically not allowed, except in the presence of `UnsafeCell`, in Rust. When compiled to LLVM these functions have `noalias readonly` parameters which means it's UB to write through the pointers.

Wasmtime's internal representation and management of `VMContext` has been updated to use `&mut self` methods where appropriate. Additionally verification tools for `unsafe` code in Rust, such as `cargo miri`, are planned to be executed on the `main` branch soon to fix any Rust-level issues that may be exploited in future compiler versions.

Precomplied binaries available for Wasmtime from GitHub releases have been compiled with at most LLVM 15 so are not known to be vulnerable. As mentioned above, however, it's still recommended to update.

Wasmtime version 6.0.2, 7.0.1, and 8.0.1 have been issued which contain the patch necessary to work correctly on LLVM 16 and have no known UB on LLVM 15 and earlier. If Wasmtime is compiled with Rust 1.69 and prior, which use LLVM 15, then there are no known issues. There is a theoretical possibility for undefined behavior to exploited, however, so it's recommended that users upgrade to a patched version of Wasmtime. Users using beta Rust (1.70 at this time) or nightly Rust (1.71 at this time) must update to a patched version to work correctly.
Aliases
0
alias CVE-2023-30624
1
alias GHSA-ch89-5g45-qwc7
Fixed_packages
0
url pkg:pypi/wasmtime@8.0.1
purl pkg:pypi/wasmtime@8.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/wasmtime@8.0.1
Affected_packages
0
url pkg:conan/wasmtime@7.0.0
purl pkg:conan/wasmtime@7.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j9sg-q7t8-myem
resource_url http://public2.vulnerablecode.io/packages/pkg:conan/wasmtime@7.0.0
1
url pkg:conan/wasmtime@8.0.0
purl pkg:conan/wasmtime@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j9sg-q7t8-myem
resource_url http://public2.vulnerablecode.io/packages/pkg:conan/wasmtime@8.0.0
2
url pkg:nuget/Wasmtime@7.0.0
purl pkg:nuget/Wasmtime@7.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j9sg-q7t8-myem
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Wasmtime@7.0.0
3
url pkg:nuget/Wasmtime@8.0.0
purl pkg:nuget/Wasmtime@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j9sg-q7t8-myem
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Wasmtime@8.0.0
4
url pkg:pypi/wasmtime@7.0.0
purl pkg:pypi/wasmtime@7.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j9sg-q7t8-myem
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/wasmtime@7.0.0
5
url pkg:pypi/wasmtime@8.0.0
purl pkg:pypi/wasmtime@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-j9sg-q7t8-myem
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/wasmtime@8.0.0
References
0
reference_url https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e
reference_id
reference_type
scores
url https://github.com/bytecodealliance/wasmtime/commit/0977952dcd9d482bff7c288868ccb52769b3a92e
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-30624
reference_id CVE-2023-30624
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-30624
2
reference_url https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7
reference_id GHSA-ch89-5g45-qwc7
reference_type
scores
url https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ch89-5g45-qwc7
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 758
name Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
description The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-j9sg-q7t8-myem