PT-2021-24278 · Unknown · Metrics-Util

Published

2021-04-07

Updated

2022-06-17

CVE-2021-45704

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: metrics-util crate versions prior to 0.7.0

Description: The issue is related to a data race and memory corruption in the AtomicBucket<T> implementation. This occurs because AtomicBucket<T> unconditionally implements the Send and Sync traits, allowing users to create a data race to the inner T: !Sync by using the AtomicBucket::data with() API. Such data races can potentially cause memory corruption or other undefined behavior.

Recommendations: For versions prior to 0.7.0, update to version 0.7.0 or later to fix the issue by adding appropriate Send/Sync bounds to the Send/Sync impl of struct Block<T>. As a temporary workaround, consider avoiding the use of the AtomicBucket::data with() API to minimize the risk of exploitation.

Fix

Race Condition

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-787

Related Identifiers

CVE-2021-45704

GHSA-3HXH-7JXM-59X4

GHSA-CWVC-87XQ-PC5M

RUSTSEC-2021-0113

Affected Products

Metrics-Util

PT-2021-24278 · Unknown · Metrics-Util

CVE-2021-45704

Weakness Enumeration

Related Identifiers

Affected Products

References · 11