CVE-2020-36448: Data races in cache

August 25, 2021

An issue was discovered in the cache crate through 2020-11-24 for Rust. Affected versions of this crate unconditionally implement Send/Sync for Cache<K>. This allows users to insert K that is not Send or not Sync.

This allows users to create data races by using non-Send types like Arc<Cell<T>> or Rc<T> as K in Cache<K>. It is also possible to create data races by using types like Cell<T> or RefCell<T> (types that are Send but not Sync). Such data races can lead to memory corruption.

References

github.com/advisories/GHSA-g78p-g85h-q6ww
github.com/krl/cache
github.com/krl/cache/issues/1
nvd.nist.gov/vuln/detail/CVE-2020-36448
rustsec.org/advisories/RUSTSEC-2020-0128.html

Detect and mitigate CVE-2020-36448 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →