CVE-2020-36459: Data races in dces

August 25, 2021

An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore. This allows non-thread safe EntityStore and ComponentStores to be sent across threads and cause data races.

References

github.com/advisories/GHSA-hxw9-jxqw-jc8j
gitlab.redox-os.org/redox-os/dces-rust
gitlab.redox-os.org/redox-os/dces-rust/-/issues/8
nvd.nist.gov/vuln/detail/CVE-2020-36459
raw.githubusercontent.com/rustsec/advisory-db/main/crates/dces/RUSTSEC-2020-0139.md
rustsec.org/advisories/RUSTSEC-2020-0139.html

Detect and mitigate CVE-2020-36459 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →