4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36203

GHSA ID

GHSA-39xg-8p43-h76x

EPSS Score

0.13655%

CWE

CWE-362

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-36203

CVE-2020-36203: Data races in reffers

ARefss<'a, V> is a type that is assumed to contain objects that are Send + Sync.

In the affected versions of this crate, Send/Sync traits are unconditionally implemented for ARefss<'a, V>.

By using the ARefss::map() API, we can insert a !Send or !Sync object into ARefss<'a, V>. After that, it is possible to create a data race to the inner object of ARefss<'a, V>, which can lead to undefined behavior & memory corruption.

The flaw was corrected in commit 6dd7ca0 by adding trait bound V: Send + Sync to ARefss::map() API.

(GitHub Advisory)

4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36203

GHSA ID

GHSA-39xg-8p43-h76x

EPSS Score

0.13655%

CWE

CWE-362

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
reffers	rust	< 0.6.1	0.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing Send + Sync trait bounds on the generic type V in ARefss's mapping functions. The commit diff shows these bounds were added to both map() and try_map() in ARefss implementations. Before the fix, these functions allowed wrapping types that aren't thread-safe (V: !Send/!Sync) into ARefss which claims Send + Sync guarantees, enabling concurrent unsynchronized access. The PoC demonstrates how this could create data races with Cell (which is !Sync), confirming the exploit path through these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*R**ss<'*, V> is * typ* t**t is *ssum** to *ont*in o*j**ts t**t *r* S*n* + Syn*. In t** *****t** v*rsions o* t*is *r*t*, S*n*/Syn* tr*its *r* un*on*ition*lly impl*m*nt** *or *R**ss<'*, V>. *y usin* t** *R**ss::m*p() *PI, w* **n ins*rt * !S*n* or !S

Reasoning

T** vuln*r**ility st*ms *rom missin* S*n* + Syn* tr*it *oun*s on t** **n*ri* typ* V in *R**ss's m*ppin* *un*tions. T** *ommit *i** s*ows t**s* *oun*s w*r* ***** to *ot* m*p() *n* try_m*p() in *R**ss impl*m*nt*tions. ***or* t** *ix, t**s* *un*tions *l

4.7

Basic Information

Concerned about an active attack path?

CVE-2020-36203: Data races in reffers

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI