PT-2020-17514 · Rust · Rocket

Published

2020-05-27

Updated

2021-08-25

CVE-2020-35882

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rocket versions prior to 0.4.5

Description An issue in the rocket crate for Rust allows LocalRequest::clone to create more than one mutable reference to the same object, possibly causing a data race. The Clone trait implementation of LocalRequest reuses the pointer to the inner Request object, leading to data races in rare combinations of APIs when the original and cloned objects are modified simultaneously.

Recommendations For versions prior to 0.4.5, update to version 0.4.5 or later to resolve the issue. As a temporary workaround, consider avoiding the use of LocalRequest::clone when modifying the original and cloned objects at the same time to minimize the risk of data races.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

CVE-2020-35882

GHSA-8Q2V-67V7-6VC6

RUSTSEC-2020-0028

Affected Products

Rocket

PT-2020-17514 · Rust · Rocket

CVE-2020-35882

Weakness Enumeration

Related Identifiers

Affected Products

References · 9