GHSA-r626-fc64-3q28
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r626-fc64-3q28
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-r626-fc64-3q28/GHSA-r626-fc64-3q28.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r626-fc64-3q28
- Aliases
-
- CVE-2020-36441
- RUSTSEC-2020-0121
- Published
- 2021-08-25T20:59:06Z
- Modified
- 2023-11-08T04:03:45.024840Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Data race in abox
- Details
-
Affected versions of this crate implements
Send/SyncforAtomicBox<T>without requiringT: Send/T: Sync. This allows to create data races toT: !Syncand sendT: !Sendto another thread. Such behavior breaks the compile-time thread safety guarantees of Rust, and allows users to incur undefined behavior using safe Rust (e.g. memory corruption from data race). The flaw was corrected in commit34c2b9eby adding trait boundT: SendtoSendimpl forAtomicBox<T>and trait boundT: SynctoSyncimpl forAtomicBox<T>. - Database specific
{ "nvd_published_at": "2021-08-08T06:15:00Z", "cwe_ids": [ "CWE-119", "CWE-362" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-09T21:56:03Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-36441
- https://github.com/SonicFrog/abox/issues/1
- https://github.com/SonicFrog/abox/pull/2
- https://github.com/SonicFrog/abox/commit/34c2b9e
- https://github.com/SonicFrog/abox
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/abox/RUSTSEC-2020-0121.md
- https://rustsec.org/advisories/RUSTSEC-2020-0121.html
Affected packages
crates.io / abox
Package
- Name
- abox
- View open source insights on deps.dev
- Purl
- pkg:cargo/abox