Reported

December 17, 2020

Issued

March 30, 2021 (last modified: June 13, 2023)

Package

disrustor (crates.io)

Type

Vulnerability

Categories

• memory-corruption
• thread-safety

Aliases

• CVE-2020-36470
• GHSA-w9r2-qrpm-4rmj

References

• https://github.com/sklose/disrustor/issues/1

CVSS Score

5.9 MEDIUM

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.3

Description

The RingBuffer type retrieves mutable references from the DataProvider in a non-atomic manner, potentially allowing the creation of multiple mutable references. RingBuffer also implements the Send and Sync traits for all types T.

This allows undefined behavior from the aliased mutable references as well as data races.

Advisory available under CC0-1.0 license.