rustsec-2020-0091
Vulnerability from osv_rustsec
Published
2020-12-10 12:00
Modified
2023-06-13 13:10
Summary
Dangling reference in `access::Map` with Constant
Details

Using the arc_swap::access::Map with the Constant test helper (or with user-provided implementation of the Access trait) could sometimes lead to the map returning dangling references.

Replaced by implementation without unsafe, at the cost of added Clone bound on the closure and small penalty on performance.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "arc_swap::access::MapGuard::deref"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "arc-swap",
        "purl": "pkg:cargo/arc-swap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.2"
            },
            {
              "fixed": "0.4.8"
            },
            {
              "introduced": "1.0.0-0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2020-35711",
    "GHSA-9pqx-g3jh-qpqq"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Using the `arc_swap::access::Map` with the `Constant` test helper (or with\nuser-provided implementation of the `Access` trait) could sometimes lead to the\nmap returning dangling references.\n\nReplaced by implementation without `unsafe`, at the cost of added `Clone` bound\non the closure and small penalty on performance.",
  "id": "RUSTSEC-2020-0091",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2020-12-10T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/arc-swap"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0091.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/vorner/arc-swap/issues/45"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dangling reference in `access::Map` with Constant"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.