Lucene search

GitHub Advisory DatabaseGHSA-R93V-9P5Q-VHPF

HistoryMay 24, 2022 - 5:37 p.m.

futures_task::waker may cause a use-after-free if used on a type that isn't 'static

2022-05-2417:37:49

CWE-416

GitHub Advisory Database

github.com

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

20.2%

JSON

Affected versions of the crate did not properly implement a 'static lifetime bound on the waker function. This resulted in a use-after-free if Waker::wake() is called after original data had been dropped.

The flaw was corrected by adding 'static lifetime bound to the data waker takes.

Affected configurations

Vulners

Node

futurestaskRange<0.3.6

CPENameOperatorVersion
futures-tasklt0.3.6

CPE	Name	Operator	Version
	futures-task	lt	0.3.6

References

github.com/advisories/GHSA-r93v-9p5q-vhpf

github.com/rust-lang/futures-rs/pull/2206

nvd.nist.gov/vuln/detail/CVE-2020-35906

rustsec.org/advisories/RUSTSEC-2020-0060.html

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

20.2%

JSON

Related for GHSA-R93V-9P5Q-VHPF