Reported

November 14, 2020

Issued

January 30, 2021 (last modified: June 13, 2023)

Package

parc (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-36454
• GHSA-29v7-3v4c-gf38
• GHSA-xwxc-j97j-84gf

References

• https://github.com/hyyking/rustracts/pull/6

CVSS Score

8.1 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

In the affected versions of this crate, LockWeak<T> unconditionally implemented Send with no trait bounds on T. LockWeak<T> doesn't own T and only provides &T.

This allows concurrent access to a non-Sync T, which can cause undefined behavior like data races.

Advisory available under CC0-1.0 license.