Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcDQtOHA4di1nNzh3
Data races in lever
An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.
Permalink: https://github.com/advisories/GHSA-9pp4-8p8v-g78wJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwcDQtOHA4di1nNzh3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9pp4-8p8v-g78w, CVE-2020-36457
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36457
- https://github.com/vertexclique/lever/issues/15
- https://rustsec.org/advisories/RUSTSEC-2020-0137.html
- https://github.com/vertexclique/lever/pull/17
- https://github.com/vertexclique/lever/commit/4a4cca61cdb25061967d58522229e147483007b1
- https://github.com/advisories/GHSA-9pp4-8p8v-g78w
Blast Radius: 8.4
Affected Packages
cargo:lever
Dependent packages: 5Dependent repositories: 11
Downloads: 82,794 total
Affected Version Ranges: < 0.1.1
Fixed in: 0.1.1
All affected versions: 0.0.0, 0.1.0
All unaffected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4