Miggo Logo
Miggo Vulnerability Database
CVE-2020-36204

CVE-2020-36204: Data races in im

4.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36204
GHSA ID
GHSA-q9h2-4xhf-23xx
EPSS Score
0.15388%
CWE
CWE-662
Published
8/25/2021
Updated
5/1/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
imrust>= 12.0.0, < 15.1.015.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from TreeFocus's unconditional implementations of Send/Sync traits. The commit diff shows these traits were originally implemented without type bounds (impl<A>), allowing TreeFocus to be sent/shared between threads even when containing non-Send/non-Sync types. This violates Rust's thread safety guarantees and enables data races. The patch adds A: Send/Sync bounds to these trait implementations, confirming these were the vulnerable code points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** im *r*t* prior to **.*.* *or Rust. ****us* Tr***o*us *o*s not **v* *oun*s on its S*n* tr*it or Syn* tr*it, * **t* r*** **n o**ur.

Reasoning

T** vuln*r**ility st*ms *rom Tr***o*us's un*on*ition*l impl*m*nt*tions o* S*n*/Syn* tr*its. T** *ommit *i** s*ows t**s* tr*its w*r* ori*in*lly impl*m*nt** wit*out typ* *oun*s (impl<*>), *llowin* Tr***o*us to ** s*nt/s**r** **tw**n t*r***s *v*n w**n *