{"id":"RUSTSEC-2020-0115","summary":"Singleton lacks bounds on Send and Sync.","details":"`Singleton\u003cT\u003e` is meant to be a static object that can be initialized lazily. In\norder to satisfy the requirement that `static` items must implement `Sync`,\n`Singleton` implemented both `Sync` and `Send` unconditionally.\n\nThis allows for a bug where non-`Sync` types such as `Cell` can be used in\nsingletons and cause data races in concurrent programs.\n\nThe flaw was corrected in commit `b0d2bd20e` by adding trait bounds, requiring\nthe contaiend type to implement `Sync`.","aliases":["CVE-2020-36435","GHSA-fqq2-xp7m-xvm8"],"modified":"2023-11-08T04:03:44.661151Z","published":"2020-11-16T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/ruspiro-singleton"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2020-0115.html"},{"type":"REPORT","url":"https://github.com/RusPiRo/ruspiro-singleton/issues/10"}],"affected":[{"package":{"name":"ruspiro-singleton","ecosystem":"crates.io","purl":"pkg:cargo/ruspiro-singleton"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.1"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0115.json","informational":null,"categories":["memory-corruption","thread-safety"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}