GHSA-36xm-35qq-795w: Inventory exposes reference to non-Sync data to an arbitrary thread

September 11, 2023

Affected versions do not enforce a Sync bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them.

A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads.

The flaw was corrected by enforcing that data submitted by the caller into inventory is Sync.

References

github.com/advisories/GHSA-36xm-35qq-795w
github.com/dtolnay/inventory
github.com/dtolnay/inventory/commit/e1e347d2725b9c9dd4a70b63eb08532ca9687652
github.com/dtolnay/inventory/pull/42
rustsec.org/advisories/RUSTSEC-2023-0058.html

Detect and mitigate GHSA-36xm-35qq-795w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →