search

lukebrogan-mend / vulnerable-rust

0 stars 0 forks source link

WS-2020-0189 (Medium) detected in futures-util-0.3.5.crate - autoclosed #15

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 3 years ago

WS-2020-0189 - Medium Severity Vulnerability

Vulnerable Library - futures-util-0.3.5.crate

Common utilities and extension traits for the futures-rs library.

Library home page: https://crates.io/api/v1/crates/futures-util/0.3.5/download

Dependency Hierarchy: - hyper-0.13.5.crate (Root Library) - h2-0.2.5.crate - :x: **futures-util-0.3.5.crate** (Vulnerable Library)

Found in HEAD commit: 95d576b672062f2c8cd301fe4dd3e17fc29edc64

Found in base branch: master

Vulnerability Details

Affected versions of futures-rs had a Send/Sync implementation for MappedMutexGuard that only considered variance on T, while MappedMutexGuard dereferenced to U. This could of led to data races in safe Rust code when a closure used in MutexGuard::map() returns U that is unrelated to T. The issue was fixed by fixing Send and Sync implementations, and by adding a PhantomData<&'a mut U> marker to the MappedMutexGuard type to tell the compiler that the guard is over U too. This is affecting future-rs 0.3.2 through 0.3.6 and fixed in futures-rs 0.3.7 onwards.

Publish Date: 2020-11-02

URL: WS-2020-0189

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-02

Fix Resolution: 0.3.7

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.