{"api_version":"1","generated_at":"2026-04-22T22:49:14+00:00","cve":"CVE-2020-36323","urls":{"html":"https://cve.report/CVE-2020-36323","api":"https://cve.report/api/cve/CVE-2020-36323.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-36323","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-36323"},"summary":{"title":"CVE-2020-36323","description":"In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-04-14 07:15:00","updated_at":"2023-11-07 03:22:00"},"problem_types":["CWE-134"],"metrics":[],"references":[{"url":"https://github.com/rust-lang/rust/issues/80335","name":"https://github.com/rust-lang/rust/issues/80335","refsource":"MISC","tags":[],"title":"API soundness issue in join() implementation of [Borrow<str>] · Issue #80335 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFUO3URYCO73D2Q4WYJBWAMJWGGVXQO4/","name":"FEDORA-2021-d7f74f0250","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: rust-1.51.0-3.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rust-lang/rust/pull/81728#issuecomment-824904190","name":"https://github.com/rust-lang/rust/pull/81728#issuecomment-824904190","refsource":"MISC","tags":[],"title":"Fixes API soundness issue in join() by Qwaz · Pull Request #81728 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/","name":"FEDORA-2021-d0ba1901ca","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-1.51.0-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rust-lang/rust/pull/81728#issuecomment-821549174","name":"https://github.com/rust-lang/rust/pull/81728#issuecomment-821549174","refsource":"MISC","tags":[],"title":"Fixes API soundness issue in join() by Qwaz · Pull Request #81728 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZG65GUW6Z2CYOQHF7T3TB5CZKIX6ZJE/","name":"FEDORA-2021-b1ba54add6","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: rust-1.51.0-3.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFUO3URYCO73D2Q4WYJBWAMJWGGVXQO4/","name":"FEDORA-2021-d7f74f0250","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: rust-1.51.0-3.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rust-lang/rust/pull/81728","name":"https://github.com/rust-lang/rust/pull/81728","refsource":"MISC","tags":[],"title":"Fixes API soundness issue in join() by Qwaz · Pull Request #81728 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/","name":"FEDORA-2021-d0ba1901ca","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-1.51.0-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZG65GUW6Z2CYOQHF7T3TB5CZKIX6ZJE/","name":"FEDORA-2021-b1ba54add6","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: rust-1.51.0-3.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-36323","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36323","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"36323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"36323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"36323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"36323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rust-lang","cpe5":"rust","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-36323","qid":"159344","title":"Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2021-3063)"},{"cve":"CVE-2020-36323","qid":"239538","title":"Red Hat Update for rust-toolset:rhel8 (RHSA-2021:3063)"},{"cve":"CVE-2020-36323","qid":"281294","title":"Fedora Security Update for rust (FEDORA-2021-b1ba54add6)"},{"cve":"CVE-2020-36323","qid":"281295","title":"Fedora Security Update for rust (FEDORA-2021-d7f74f0250)"},{"cve":"CVE-2020-36323","qid":"281296","title":"Fedora Security Update for rust (FEDORA-2021-d0ba1901ca)"},{"cve":"CVE-2020-36323","qid":"353979","title":"Amazon Linux Security Advisory for rust : ALAS2-2022-1816"},{"cve":"CVE-2020-36323","qid":"377347","title":"Alibaba Cloud Linux Security Update for rust-toolset:rhel8 (ALINUX3-SA-2021:0061)"},{"cve":"CVE-2020-36323","qid":"501921","title":"Alpine Linux Security Update for rust"},{"cve":"CVE-2020-36323","qid":"505391","title":"Alpine Linux Security Update for rust"},{"cve":"CVE-2020-36323","qid":"900062","title":"CBL-Mariner Linux Security Update for rust 1.47.0"},{"cve":"CVE-2020-36323","qid":"902939","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rust (4081)"},{"cve":"CVE-2020-36323","qid":"940361","title":"AlmaLinux Security Update for rust-toolset:rhel8 (ALSA-2021:3063)"},{"cve":"CVE-2020-36323","qid":"960098","title":"Rocky Linux Security Update for rust-toolset:rhel8 (RLSA-2021:3063)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-36323","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/rust-lang/rust/issues/80335","refsource":"MISC","name":"https://github.com/rust-lang/rust/issues/80335"},{"url":"https://github.com/rust-lang/rust/pull/81728","refsource":"MISC","name":"https://github.com/rust-lang/rust/pull/81728"},{"refsource":"MISC","name":"https://github.com/rust-lang/rust/pull/81728#issuecomment-821549174","url":"https://github.com/rust-lang/rust/pull/81728#issuecomment-821549174"},{"refsource":"FEDORA","name":"FEDORA-2021-d0ba1901ca","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CZ337CM4GFJLRDFVQCGC7J25V65JXOG5/"},{"refsource":"MISC","name":"https://github.com/rust-lang/rust/pull/81728#issuecomment-824904190","url":"https://github.com/rust-lang/rust/pull/81728#issuecomment-824904190"},{"refsource":"FEDORA","name":"FEDORA-2021-b1ba54add6","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZG65GUW6Z2CYOQHF7T3TB5CZKIX6ZJE/"},{"refsource":"FEDORA","name":"FEDORA-2021-d7f74f0250","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFUO3URYCO73D2Q4WYJBWAMJWGGVXQO4/"}]}},"nvd":{"publishedDate":"2021-04-14 07:15:00","lastModifiedDate":"2023-11-07 03:22:00","problem_types":["CWE-134"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":8.2,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*","versionEndExcluding":"1.52.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"36323","Ordinal":"206443","Title":"CVE-2020-36323","CVE":"CVE-2020-36323","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"36323","Ordinal":"1","NoteData":"In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"36323","Ordinal":"2","NoteData":"2021-04-14","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"36323","Ordinal":"3","NoteData":"2021-04-26","Type":"Other","Title":"Modified"}]}}}