RUSTSEC-2020-0091

Dangling reference in access::Map with Constant

Reported

December 10, 2020

Issued

December 11, 2020 (last modified: October 19, 2021)

Package

arc-swap (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#dangling-reference

Aliases

CVE-2020-35711

Details

https://github.com/vorner/arc-swap/issues/45

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.4.8, <1.0.0-0
>=1.1.0

Unaffected

<0.4.2

Affected Functions

Version

arc_swap::access::MapGuard::deref

<1.1.0

Description

Using the arc_swap::access::Map with the Constant test helper (or with user-provided implementation of the Access trait) could sometimes lead to the map returning dangling references.

Replaced by implementation without unsafe, at the cost of added Clone bound on the closure and small penalty on performance.