Reported

November 13, 2020

Issued

December 17, 2020 (last modified: June 13, 2023)

Package

concread (crates.io)

Type

INFO Unsound

Categories

• thread-safety

Aliases

• CVE-2020-35928
• GHSA-4xj5-vv9x-63jp

References

• https://github.com/kanidm/concread/issues/48

CVSS Score

4.7 MEDIUM

CVSS Details

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.2.6

Description

Affected versions of this crate unconditionally implemented Send/Sync traits for ARCache<K, V> type.

This allows users to send/access types that do not implement Send/Sync, which can cause a data race.

The flaw was corrected in the 0.2.6 release by adding bounds K: Send + Sync & V: Send + Sync to affected Send/Sync trait implementations.

Advisory available under CC0-1.0 license.