Reported

December 8, 2020

Issued

January 30, 2021 (last modified: June 13, 2023)

Package

async-coap (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-36444
• GHSA-9j8q-m9x5-9g6j

References

• https://github.com/google/rust-async-coap/issues/33

CVSS Score

8.1 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

Affected versions of this crate implement Send/Sync for ArcGuard<RC, T> with no trait bounds on RC. This allows users to send RC: !Send to other threads and also allows users to concurrently access Rc: !Sync from multiple threads.

This can result in memory corruption from data race or other undefined behavior caused by sending T: !Send to other threads (e.g. dropping MutexGuard<T> in another thread that didn't lock its mutex).

Advisory available under CC0-1.0 license.