Affected versions do not enforce a
Sync bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them.
A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads.
The flaw was corrected by enforcing that data submitted by the caller into inventory is