{"id":"GHSA-f997-8gxg-r354","summary":"Data races in lexer","details":"lexer is a plugin based lexical reader.Affected versions of this crate implements Sync for ReaderResult\u003cT, E\u003e with the trait bound T: Send, E: Send. Since matching on the public enum ReaderResult\u003cT, E\u003e provides access to &T & &E, allowing data race to a non-Sync type T or E. This can result in a memory corruption when multiple threads concurrently access &T or &E. Suggested fix for the bug is change the trait bounds imposed on T & E to be T: Sync, E: Sync.","aliases":["CVE-2020-36458","RUSTSEC-2020-0138"],"modified":"2023-11-08T04:03:46.074313Z","published":"2021-08-25T20:58:09Z","database_specific":{"cwe_ids":["CWE-362","CWE-77"],"nvd_published_at":"2021-08-08T06:15:00Z","github_reviewed_at":"2021-08-18T20:18:45Z","severity":"HIGH","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36458"},{"type":"PACKAGE","url":"https://gitlab.com/nathanfaucett/rs-lexer"},{"type":"WEB","url":"https://gitlab.com/nathanfaucett/rs-lexer/-/issues/2"},{"type":"WEB","url":"https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/lexer/RUSTSEC-2020-0138.md"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2020-0138.html"}],"affected":[{"package":{"name":"lexer","ecosystem":"crates.io","purl":"pkg:cargo/lexer"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"0.1.16"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-f997-8gxg-r354/GHSA-f997-8gxg-r354.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}