HistoryEditJSON (OSV)

RUSTSEC-2020-0096

TreeFocus lacks bounds on its Send and Sync traits

Reported
Issued
Package
im (crates.io)
Type
INFO Unsound
Categories
Aliases
References
CVSS Score
4.7 MEDIUM
CVSS Details
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=15.1.0
Unaffected
  • <12.0.0

Description

Affected versions of im contains TreeFocus that unconditionally implements Send and Sync.

This allows a data race in safe Rust code if TreeFocus is extracted from Focus type. Typical users that only use Focus type are not affected.

Advisory available under CC0-1.0 license.