CVE-2020-36460: Data races in model

August 25, 2021

Shared data structure in model crate implements Send and Sync traits regardless of the inner type. This allows safe Rust code to trigger a data race, which is undefined behavior in Rust.

Users are advised to treat Shared as an unsafe type. It should not be used outside of the testing context, and care must be taken so that the testing code does not have a data race besides a race condition that is expected to be caught by the test.

References

github.com/advisories/GHSA-mxv6-q98x-h958
github.com/spacejam/model
github.com/spacejam/model/issues/3
nvd.nist.gov/vuln/detail/CVE-2020-36460
rustsec.org/advisories/RUSTSEC-2020-0140.html

Detect and mitigate CVE-2020-36460 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →