GHSA-FVHR-7J8M-3CVC

Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2021-08-24 19:08
VLAI?
Summary
Data races in appendix
Details

The appendix crate implements a key-value mapping data structure called Index<K, V> that is stored on disk. The crate allows for any type to inhabit the generic K and V type parameters and implements Send and Sync for them unconditionally.

Using a type that is not marked as Send or Sync with Index can allow it to be used across multiple threads leading to data races. Additionally using reference types for the keys or values will lead to the segmentation faults in the crate's code.

Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "appendix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:35:37Z",
    "nvd_published_at": "2021-08-08T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The `appendix` crate implements a key-value mapping data structure called\n`Index\u003cK, V\u003e` that is stored on disk. The crate allows for any type to inhabit\nthe generic `K` and `V` type parameters and implements Send and Sync for them\nunconditionally.\n\nUsing a type that is not marked as `Send` or `Sync` with `Index` can allow it\nto be used across multiple threads leading to data races. Additionally using\nreference types for the keys or values will lead to the segmentation faults\nin the crate\u0027s code.",
  "id": "GHSA-fvhr-7j8m-3cvc",
  "modified": "2021-08-24T19:08:25Z",
  "published": "2021-08-25T20:57:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/krl/appendix/issues/6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/krl/appendix"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0149.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data races in appendix"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.