CVE-2020-36457: Data races in lever
An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption.
References
- github.com/advisories/GHSA-9pp4-8p8v-g78w
- github.com/vertexclique/lever
- github.com/vertexclique/lever/commit/4a4cca61cdb25061967d58522229e147483007b1
- github.com/vertexclique/lever/issues/15
- github.com/vertexclique/lever/pull/17
- nvd.nist.gov/vuln/detail/CVE-2020-36457
- rustsec.org/advisories/RUSTSEC-2020-0137.html
Code Behaviors & Features
Detect and mitigate CVE-2020-36457 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →