PT-2020-17628 · Rust · Cache Crate

Published

2020-11-24

Updated

2021-08-25

CVE-2020-36448

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions cache crate through 2020-11-24

Description An issue in the cache crate allows users to insert types that are not Send or not Sync, such as Arc<Cell<T>> or Rc<T>, as K in Cache<K>. This can lead to data races, which can result in memory corruption. Additionally, using types like Cell<T> or RefCell<T> that are Send but not Sync can also create data races.

Recommendations For versions of the cache crate through 2020-11-24, consider restricting the use of Cache<K> to only Send and Sync types to minimize the risk of data races and memory corruption. As a temporary workaround, avoid using non-Send types like Arc<Cell<T>> or Rc<T> as K in Cache<K>, and refrain from using types like Cell<T> or RefCell<T> that are Send but not Sync.

Exploit

Fix

Command Injection

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-362

Related Identifiers

CVE-2020-36448

GHSA-G78P-G85H-Q6WW

RUSTSEC-2020-0128

Affected Products

Cache Crate

PT-2020-17628 · Rust · Cache Crate

CVE-2020-36448

Weakness Enumeration

Related Identifiers

Affected Products

References · 9