Reported

November 10, 2020

Issued

January 30, 2021 (last modified: June 13, 2023)

Package

model (crates.io)

Type

INFO Unsound

Categories

• thread-safety

Aliases

• CVE-2020-36460
• GHSA-mxv6-q98x-h958

References

• https://github.com/spacejam/model/issues/3

CVSS Score

8.1 HIGH

CVSS Details

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

no patched versions

Description

Shared data structure in model crate implements Send and Sync traits regardless of the inner type. This allows safe Rust code to trigger a data race, which is undefined behavior in Rust.

Users are advised to treat Shared as an unsafe type. It should not be used outside of the testing context, and care must be taken so that the testing code does not have a data race besides a race condition that is expected to be caught by the test.

Check the Rustonomicon for the difference between a data race and a general race condition.

Advisory available under CC0-1.0 license.