Reported

December 10, 2020

Issued

December 11, 2020 (last modified: June 13, 2023)

Package

arc-swap (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Keywords

#dangling-reference

Aliases

• CVE-2020-35711
• GHSA-9pqx-g3jh-qpqq

References

• https://github.com/vorner/arc-swap/issues/45

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.4.8, <1.0.0-0
• >=1.1.0

Unaffected

• <0.4.2

Affected Functions

Version

arc_swap::access::MapGuard::deref

• <1.1.0

Description

Using the arc_swap::access::Map with the Constant test helper (or with user-provided implementation of the Access trait) could sometimes lead to the map returning dangling references.

Replaced by implementation without unsafe, at the cost of added Clone bound on the closure and small penalty on performance.

Advisory available under CC0-1.0 license.