Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNnhtLTM1cXEtNzk1d84AA1zR
Inventory exposes reference to non-Sync data to an arbitrary thread
Affected versions do not enforce a Sync bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them.
A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads.
The flaw was corrected by enforcing that data submitted by the caller into inventory is Sync.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNnhtLTM1cXEtNzk1d84AA1zR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-36xm-35qq-795w
References:
- https://github.com/dtolnay/inventory/pull/42
- https://github.com/dtolnay/inventory/commit/e1e347d2725b9c9dd4a70b63eb08532ca9687652
- https://rustsec.org/advisories/RUSTSEC-2023-0058.html
- https://github.com/advisories/GHSA-36xm-35qq-795w
Blast Radius: 0.0
Affected Packages
cargo:inventory
Dependent packages: 110Dependent repositories: 1,796
Downloads: 25,070,329 total
Affected Version Ranges: < 0.2.0
Fixed in: 0.2.0
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11
All unaffected versions: 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.3.16, 0.3.17, 0.3.18, 0.3.19