Race Condition Affecting arr package, versions *


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.22% (62nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-ARR-6056557
  • published26 Aug 2020
  • disclosed25 Aug 2020
  • creditYechan Bae

Introduced: 25 Aug 2020

CVE-2020-35888  (opens in a new tab)
CWE-366  (opens in a new tab)

How to fix?

There is no fixed version for arr.

Overview

arr is a crate that provides a single fixed-sized array data-structure that is purely heap-based.

Affected versions of this package are vulnerable to Race Condition. It incorrectly implements Sync/Send bounds, which allows to smuggle non-Sync/Send types across the thread boundary.

NOTE: This vulnerability has also been identified as: CVE-2020-35887, CVE-2020-35886

References

CVSS Scores

version 3.1