Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-36466

CVE-2020-36466:
Data races in cgc

5.9

CVSS Score

Basic Information

CVE ID
CVE-2020-36466
GHSA ID
GHSA-f9xr-3m55-5q2v
EPSS Score
-
CWE
CWE-362
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cgcrust<= 0.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three core issues: 1) Improper Send/Sync implementations for Ptr<T> without type constraints, enabling cross-thread sharing of non-thread-safe types. 2) Ptr::get() creating multiple mutable references through raw pointer dereference, violating Rust's aliasing rules. 3) Ptr::set() using non-atomic writes, creating data race conditions. These are clearly demonstrated in the provided POC code showing Rc cloning across threads and mutable reference aliasing leading to segfaults. The GitHub issue explicitly identifies these unsafe implementations and methods as problematic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *** *r*t* t*rou** ****-**-** *or Rust. Ptr impl*m*nts S*n* *n* Syn* *or *ll typ*s

Reasoning

T** vuln*r**ility st*ms *rom t*r** *or* issu*s: *) Improp*r S*n*/Syn* impl*m*nt*tions *or Ptr<T> wit*out typ* *onstr*ints, *n**lin* *ross-t*r*** s**rin* o* non-t*r***-s*** typ*s. *) Ptr::**t() *r**tin* multipl* mut**l* r***r*n**s t*rou** r*w point*r