Miggo Logo
Miggo Vulnerability Database
CVE-2020-36448

CVE-2020-36448: Data races in cache

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36448
GHSA ID
GHSA-g78p-g85h-q6ww
EPSS Score
0.64009%
CWE
CWE-77
Published
8/25/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cacherust<= 0.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper trait implementations rather than specific functions. The Cache<K> struct unconditionally implements Send/Sync traits without requiring K to be Send/Sync. This allows non-thread-safe types (e.g., Rc<T>, Cell<T>) to be used in multi-threaded contexts, causing data races. The root cause is the unsafe unsafe impl<K> Send for Cache<K> {} and unsafe impl<K> Sync for Cache<K> {} implementations, which lack trait bounds on K. Since these are trait implementations rather than discrete functions, no specific functions are identified as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** ***** *r*t* t*rou** ****-**-** *or Rust. *****t** v*rsions o* t*is *r*t* un*on*ition*lly impl*m*nt S*n*/Syn* *or `*****<K>`. T*is *llows us*rs to ins*rt `K` t**t is not S*n* or not Syn*. T*is *llows us*rs to *r**t* **

Reasoning

T** vuln*r**ility st*ms *rom improp*r tr*it impl*m*nt*tions r*t**r t**n sp**i*i* *un*tions. T** `*****<K>` stru*t un*on*ition*lly impl*m*nts S*n*/Syn* tr*its wit*out r*quirin* `K` to ** S*n*/Syn*. T*is *llows non-t*r***-s*** typ*s (*.*., `R*<T>`, `**