RUSTSEC-2021-0036

Intern: Data race allowed on T

Reported

March 3, 2021

Issued

March 4, 2021 (last modified: June 13, 2023)

Package

internment (crates.io)

Type

Vulnerability

Categories

thread-safety

Aliases

CVE-2021-28037
GHSA-gppw-3h6h-v6q2

References

https://github.com/droundy/internment/issues/20

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.4.2

Description

Affected versions of this crate unconditionally implements Sync for Intern<T>. This allows users to create data race on T: !Sync, which may lead to undefined behavior (for example, memory corruption).

The flaw was corrected in commit 2928a87 by adding the trait bound T: Sync in the Sync impl of Intern<T>.

Advisory available under CC0-1.0 license.