HistoryEditJSON (OSV)

RUSTSEC-2020-0107

hashconsing's HConsed lacks Send/Sync bound for its Send/Sync trait.

Reported
Issued
Package
hashconsing (crates.io)
Type
Vulnerability
Categories
Keywords
#concurrency
Aliases
References
CVSS Score
7.5 HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=1.1.0

Description

Affected versions of hashconsing implements Send/Sync for its HConsed type without restricting it to Sendable types and Syncable types.

This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.

Advisory available under CC0-1.0 license.