RUSTSEC-2020-0115

Source
https://rustsec.org/advisories/RUSTSEC-2020-0115
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0115.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2020-0115
Aliases
Published
2020-11-16T12:00:00Z
Modified
2023-11-08T04:03:44.661151Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Singleton lacks bounds on Send and Sync.
Details

Singleton<T> is meant to be a static object that can be initialized lazily. In order to satisfy the requirement that static items must implement Sync, Singleton implemented both Sync and Send unconditionally.

This allows for a bug where non-Sync types such as Cell can be used in singletons and cause data races in concurrent programs.

The flaw was corrected in commit b0d2bd20e by adding trait bounds, requiring the contaiend type to implement Sync.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / ruspiro-singleton

Package

Name
ruspiro-singleton
View open source insights on deps.dev
Purl
pkg:cargo/ruspiro-singleton

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.4.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "informational": null,
    "categories": [
        "memory-corruption",
        "thread-safety"
    ]
}