RUSTSEC-2020-0122

beef::Cow lacks a Sync bound on its Send trait allowing for data races

Reported

October 28, 2020

Issued

January 27, 2021 (last modified: October 19, 2021)

Package

beef (crates.io)

Type

Vulnerability

Categories

Aliases

CVE-2020-36442

Details

https://github.com/maciejhirsz/beef/issues/37

CVSS Score

8.1 HIGH

CVSS Details

Attack vector: Network
Attack complexity: High
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.5.0

Description

Affected versions of this crate did not have a T: Sync bound in the Send impl for Cow<'_, T, U>. This allows users to create data races by making Cow contain types that are (Send && !Sync) like Cell<_> or RefCell<_>.

Such data races can lead to memory corruption.

The flaw was corrected in commit d1c7658 by adding trait bounds T: Sync and T::Owned: Send to the Send impl for Cow<'_, T, U>.