PT-2020-17645 · Rust · Multiqueue Crate

Published

2020-12-25

Updated

2021-08-25

CVE-2020-36463

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions multiqueue crate through 2020-12-25

Description An issue in the multiqueue crate allows unconditional implementations of Send for types used in queue implementations, such as InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, and FutInnerRecv<RW, T>. This can lead to users sending non-Send types to other threads, resulting in data race bugs or other undefined behavior.

Recommendations For multiqueue crate through 2020-12-25, consider restricting the use of the affected types (InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, FutInnerRecv<RW, T>) to prevent sending non-Send types to other threads until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-362

Related Identifiers

CVE-2020-36463

GHSA-JF43-3V8J-QWWR

GHSA-R2X6-VRXX-JGV4

RUSTSEC-2020-0143

Affected Products

Multiqueue Crate

PT-2020-17645 · Rust · Multiqueue Crate

CVE-2020-36463

Weakness Enumeration

Related Identifiers

Affected Products

References · 11