GHSA-MXV6-Q98X-H958

Vulnerability from github – Published: 2021-08-25 20:56 – Updated: 2021-08-24 18:00
VLAI?
Summary
Data races in model
Details

Shared data structure in model crate implements Send and Sync traits regardless of the inner type. This allows safe Rust code to trigger a data race, which is undefined behavior in Rust.

Users are advised to treat Shared as an unsafe type. It should not be used outside of the testing context, and care must be taken so that the testing code does not have a data race besides a race condition that is expected to be caught by the test.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "model"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T21:17:33Z",
    "nvd_published_at": "2021-08-08T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "`Shared` data structure in `model` crate implements `Send` and `Sync` traits regardless of the inner type.\nThis allows safe Rust code to trigger a data race, which is undefined behavior in Rust.\n\nUsers are advised to treat `Shared` as an unsafe type.\nIt should not be used outside of the testing context,\nand care must be taken so that the testing code does not have a data race\nbesides a race condition that is expected to be caught by the test.\n",
  "id": "GHSA-mxv6-q98x-h958",
  "modified": "2021-08-24T18:00:46Z",
  "published": "2021-08-25T20:56:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spacejam/model/issues/3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spacejam/model"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0140.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data races in model"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.