PT-2020-17575 · Rust · Im

Published

2020-11-09

Updated

2021-08-25

CVE-2020-36204

CVSS v3.1

4.7

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions im versions prior to 15.1.0 im versions through 2020-11-09

Description An issue in the im crate allows a data race to occur because TreeFocus does not have bounds on its Send trait or Sync trait. This can happen when TreeFocus is extracted from the Focus type, potentially affecting safe Rust code. Typical users who only use the Focus type are not affected.

Recommendations For im versions prior to 15.1.0, update to version 15.1.0 or later to resolve the issue. For im versions through 2020-11-09, update to a version released after 2020-11-09 to resolve the issue. As a temporary workaround, consider avoiding the extraction of TreeFocus from the Focus type until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-662

Related Identifiers

CVE-2020-36204

GHSA-Q9H2-4XHF-23XX

RUSTSEC-2020-0096

PT-2020-17575 · Rust · Im

CVE-2020-36204

Weakness Enumeration

Related Identifiers

Affected Products

References · 12