HistoryEditJSON (OSV)

RUSTSEC-2020-0090

Thex allows data races of non-Send types across threads

Reported
Issued
Package
thex (crates.io)
Type
Vulnerability
Categories
Keywords
#concurrency
Aliases
CVSS Score
5.5 MEDIUM
CVSS Details
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Patched
no patched versions

Description

thex::Thex<T> implements Sync for all types T. However, it is missing a bound for T: Send.

This allows non-Send types such as Rc to be sent across thread boundaries which can trigger undefined behavior and memory corruption.

Advisory available under CC0-1.0 license.