Closed mend-for-github-com[bot] closed 3 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
WS-2020-0290 - Medium Severity Vulnerability
Vulnerable Library - generator-0.6.21.crate
Stackfull Generator Library in Rust
Library home page: https://crates.io/api/v1/crates/generator/0.6.21/download
Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - tokio-0.2.21.crate - bytes-0.5.5.crate - loom-0.3.4.crate - :x: **generator-0.6.21.crate** (Vulnerable Library)
Found in HEAD commit: 95d576b672062f2c8cd301fe4dd3e17fc29edc64
Found in base branch: master
Vulnerability Details
All versions before v0.7.0 of the crate 'generator' are vulnerable. The Generator type is an iterable which uses a generator function that yields values. In affected versions of the crate, the provided function yielding values had no Send bounds despite the Generator itself implementing Send. The generator function lacking a Send bound means that types that are dangerous to send across threads such as Rc could be sent as part of a generator, potentially leading to data races. This flaw was fixed in commit f7d120a3b by enforcing that the generator function be bound by Send.
Publish Date: 2020-11-16
URL: WS-2020-0290
CVSS 3 Score Details (5.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2020-0151.html
Release Date: 2020-11-16
Fix Resolution: 0.7.0