Miggo Logo

CVE-2020-36457: Data races in lever

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.64009%
Published
8/25/2021
Updated
3/31/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
leverrust< 0.1.10.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unconditional implementation of Send/Sync traits in AtomicBox. The pre-patch code (unsafe impl<T: Sized> Sync/Send) lacked required bounds, violating Rust's thread safety guarantees. This allowed dangerous cross-thread sharing of types like Cell (which isn't Sync) and Rc (which isn't Send), enabling data races. The commit diff explicitly shows these trait implementations being modified to add T: Sync/Send bounds, confirming these were the vulnerable components. The added compile-fail test further validates that improper usage is now prevented.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** l*v*r *r*t* ***or* *.*.* *or Rust. *tomi**ox<T> impl*m*nts t** S*n* *n* Syn* tr*its *or *ll typ*s T. T*is *llows non-S*n* typ*s su** *s R* *n* non-Syn* typ*s su** *s **ll to ** us** **ross t*r*** *oun**ri*s w*i** **n tr

Reasoning

T** vuln*r**ility st*ms *rom un*on*ition*l impl*m*nt*tion o* `S*n*/Syn*` tr*its in `*tomi**ox`. T** pr*-p*t** *o** (`uns*** impl<T: Siz**> Syn*/S*n*`) l**k** r*quir** *oun*s, viol*tin* Rust's t*r*** s***ty *u*r*nt**s. T*is *llow** **n**rous *ross-t*r