RUSTSEC-2020-0046

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2020-0046

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0046.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2020-0046

Aliases

CVE-2020-35899
GHSA-whc7-5p35-4ww2

Published

2020-01-08T12:00:00Z

Modified

2023-11-08T04:03:38.239916Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

bespoke Cell implementation allows obtaining several mutable references to the same data

Details

The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data.

This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free.

The flaw was corrected by switching from a bespoke Cell<T> implementation to Rc<RefCell<T>>.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / actix-service

Package

Name: actix-service; View open source insights on deps.dev
Purl: pkg:cargo/actix-service

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

1.0.6

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "informational": "unsound",
    "categories": [
        "memory-corruption"
    ]
}