CVE-2022-23639 (High) detected in crossbeam-utils-0.7.2.crate #747
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
CVE-2022-23639 - High Severity Vulnerability
Utilities for concurrent programming
Library home page: https://crates.io/api/v1/crates/crossbeam-utils/0.7.2/download
Path to dependency file: /packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/rust/gen/Cargo.toml
Path to vulnerable library: /packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/rust/gen/Cargo.toml
Dependency Hierarchy:
Found in base branch: master
crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust. crossbeam-utils prior to version 0.8.7 incorrectly assumed that the alignment of "{i,u}64" was always the same as "Atomic{I,U}64". However, the alignment of "{i,u}64" on a 32-bit target can be smaller than "Atomic{I,U}64". This can cause unaligned memory accesses and data race. Crates using "fetch_*" methods with "AtomicCell<{i,u}64>" are affected by this issue. 32-bit targets without "Atomic{I,U}64" and 64-bit targets are not affected by this issue. This has been fixed in crossbeam-utils 0.8.7. There are currently no known workarounds.
Publish Date: 2022-02-15
URL: CVE-2022-23639
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: