RUSTSEC-2020-0091

Dangling reference in access::Map with Constant

Issued

December 10, 2020

Package

arc-swap (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#dangling-reference

Aliases

CVE-2020-35711

Details

https://github.com/vorner/arc-swap/issues/45

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.4.8, <1.0.0-0
>=1.1.0

Unaffected

<0.4.2

Affected Functions

Version

arc_swap::access::MapGuard::deref

<1.1.0

Description

Using the arc_swap::access::Map with the Constant test helper (or with user-provided implementation of the Access trait) could sometimes lead to the map returning dangling references.

Replaced by implementation without unsafe, at the cost of added Clone bound on the closure and small penalty on performance.