Lucene search

GitHub Advisory DatabaseGHSA-69VJ-XX27-G45W

HistoryAug 25, 2021 - 8:51 p.m.

Data race in eventio

2021-08-2520:51:49

CWE-662

CWE-787

GitHub Advisory Database

github.com

data race

eventio

send

memory corruption

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

52.9%

JSON

Input<R> implements Send without requiring R: Send.

Affected versions of this crate allows users to send non-Send types to other threads, which can lead to undefined behavior such as data race and memory corruption.

The flaw was corrected in version 0.5.1 by adding R: Send bound to the Send impl of Input<R>.

Affected configurations

Vulners

Node

eventioRange<0.5.1

VendorProductVersionCPE
*eventio*cpe:2.3:a:*:eventio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	eventio	*	cpe:2.3:a::eventio::::::::*

References

github.com/advisories/GHSA-69vj-xx27-g45w

github.com/petabi/eventio/issues/33

nvd.nist.gov/vuln/detail/CVE-2020-36216

rustsec.org/advisories/RUSTSEC-2020-0108.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

52.9%

JSON

Related for GHSA-69VJ-XX27-G45W