PT-2020-17636 · Rust · Slock

Published

2020-11-17

Updated

2021-08-25

CVE-2020-36455

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions slock crate through 2020-11-17

Description The issue concerns the slock crate, where Slock<T> unconditionally implements Send and Sync. This allows sending non-Send types to other threads, which can lead to data races and memory corruption due to the data race.

Recommendations For versions of the slock crate through 2020-11-17, consider restricting the use of Slock<T> to prevent sending non-Send types to other threads until a fix is available. As a temporary workaround, avoid using Slock<T> with non-Send types to minimize the risk of data races and memory corruption.

Exploit

Fix

Command Injection

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-362

Related Identifiers

CVE-2020-36455

GHSA-83R8-P8V6-6GFM

GHSA-MC36-5M36-HJH5

RUSTSEC-2020-0135

Affected Products

Slock

PT-2020-17636 · Rust · Slock

CVE-2020-36455

Weakness Enumeration

Related Identifiers

Affected Products

References · 11