CVE-2020-36447: Data race in v9
(updated )
Affected versions of this crate unconditionally implement Sync for SyncRef. This definition allows data races if &T is accessible through &SyncRef.
SyncRef derives Clone and Debug, and the default implementations of those traits access &T by invoking T::clone() & T::fmt(). It is possible to create data races & undefined behavior by concurrently invoking SyncRef::clone() or SyncRef::fmt() from multiple threads with T: !Sync.
References
- github.com/advisories/GHSA-3837-87vh-xq3w
- github.com/purpleposeidon/v9
- github.com/purpleposeidon/v9/commit/18847c50e5d36561cc91c996c3539ddb1eacf6c7
- github.com/purpleposeidon/v9/issues/1
- nvd.nist.gov/vuln/detail/CVE-2020-36447
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/v9/RUSTSEC-2020-0127.md
- rustsec.org/advisories/RUSTSEC-2020-0127.html
Detect and mitigate CVE-2020-36447 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →