HistoryEdit

RUSTSEC-2020-0137

AtomicBox lacks bound on its Send and Sync traits allowing data races

Reported
Issued
Package
lever (crates.io)
Type
Vulnerability
Categories
Keywords
#concurrency
Aliases
Details
https://github.com/vertexclique/lever/issues/15
CVSS Score
8.1 HIGH
CVSS Details
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=0.1.1

Description

AtomicBox<T> is a Box type designed to be used across threads, however, it implements the Send and Sync traits for all types T.

This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.