Skip to content

Inventory exposes reference to non-Sync data to an arbitrary thread

Moderate severity GitHub Reviewed Published Sep 11, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

Package

cargo inventory (Rust)

Affected versions

< 0.2.0

Patched versions

0.2.0

Description

Affected versions do not enforce a Sync bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them.

A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads.

The flaw was corrected by enforcing that data submitted by the caller into inventory is Sync.

References

Published to the GitHub Advisory Database Sep 11, 2023
Reviewed Sep 11, 2023
Last updated Sep 11, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-36xm-35qq-795w

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.