{"id":"RUSTSEC-2023-0058","summary":"Exposes reference to non-Sync data to an arbitrary thread","details":"Affected versions do not enforce a `Sync` bound on the type of caller-provided\nvalue held in the plugin registry. References to these values are made\naccessible to arbitrary threads other than the one that constructed them.\n\nA caller could use this flaw to submit thread-unsafe data into inventory, then\naccess it as a reference simultaneously from multiple threads.\n\nThe flaw was corrected by enforcing that data submitted by the caller into\ninventory is `Sync`.","aliases":["GHSA-36xm-35qq-795w"],"modified":"2024-02-10T16:26:47.997172Z","published":"2023-09-10T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/inventory"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2023-0058.html"},{"type":"WEB","url":"https://github.com/dtolnay/inventory/pull/42"}],"affected":[{"package":{"name":"inventory","ecosystem":"crates.io","purl":"pkg:cargo/inventory"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.2.0"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0058.json","informational":"unsound","cvss":null,"categories":["thread-safety"]}}],"schema_version":"1.7.3"}