Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcDQtOHA4di1nNzh3

Data races in lever

An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.

Permalink: https://github.com/advisories/GHSA-9pp4-8p8v-g78w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcDQtOHA4di1nNzh3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago


CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-9pp4-8p8v-g78w, CVE-2020-36457
References: Repository: https://github.com/vertexclique/lever
Blast Radius: 8.4

Affected Packages

cargo:lever
Dependent packages: 5
Dependent repositories: 11
Downloads: 94,053 total
Affected Version Ranges: < 0.1.1
Fixed in: 0.1.1
All affected versions: 0.0.0, 0.1.0
All unaffected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4