CVE-2021-29932: 
Rust vulnerability analysis and mitigation

An issue was discovered in the parse_duration crate through 2021-03-18 for Rust. The vulnerability, identified as CVE-2021-29932, allows attackers to cause a denial of service through CPU and memory consumption by providing duration strings with large exponents. This vulnerability was reported on March 18, 2021, and issued as an advisory on March 24, 2021 (RustSec Advisory).

The vulnerability exists in the parse_duration::parse function, which processes duration strings containing exponents (e.g., '5e5s'). The function uses BigInt type along with the pow function for handling such payloads. When processing arbitrarily large exponents, the function consumes excessive CPU and memory resources. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (RustSec Advisory).

The vulnerability can lead to denial of service conditions when the parse_duration::parse function processes untrusted input containing large exponents. This results in excessive consumption of CPU and memory resources, potentially affecting system availability (RustSec Advisory).

As of the advisory date, there were no patched versions available. Users should implement input validation to restrict the size of exponents when processing untrusted input, or avoid using the parse_duration crate for processing untrusted input altogether (RustSec Advisory).