CVE-2020-36460: 
Rust vulnerability analysis and mitigation

A critical vulnerability was discovered in the model crate for Rust, tracked as CVE-2020-36460, affecting versions through 2020-11-10. The issue involves the Shared data structure implementing Send and Sync traits without proper consideration of the inner type, potentially leading to unsafe concurrent access. The vulnerability was disclosed on November 10, 2020, and received a CVSS v3.1 score of 8.1 (High) (RustSec Advisory).

The vulnerability stems from the Shared data structure's implementation of Send and Sync traits without regard for the inner type's thread safety properties. This implementation flaw allows safe Rust code to trigger a data race, which constitutes undefined behavior in Rust. The issue received a CVSS v3.1 base score of 8.1, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability (RustSec Advisory).

The vulnerability can lead to data races in applications using the affected model crate, potentially resulting in undefined behavior in Rust programs. This could compromise the integrity and reliability of applications utilizing the Shared data structure, particularly in concurrent execution contexts (RustSec Advisory).

Users are advised to treat Shared as an unsafe type and avoid using it outside of testing contexts. When used in testing, care must be taken to ensure that the testing code does not introduce unintended data races beyond the race conditions being tested. The Rustonomicon documentation provides guidance on distinguishing between data races and general race conditions (RustSec Advisory).