GHSA-36xm-35qq-795w: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-36xm-35qq-795w) affects the Rust cargo inventory package versions prior to 0.2.0. Discovered and disclosed on September 11, 2023, this moderate severity vulnerability involves the exposure of non-Sync data references to arbitrary threads. The core issue lies in the package's failure to enforce Sync bounds on caller-provided values stored in the plugin registry (GitHub Advisory, RustSec Advisory).

The technical issue stems from the package not enforcing a Sync bound on the type of caller-provided value held in the plugin registry. References to these values could be accessed by arbitrary threads other than the one that constructed them. This creates a scenario where thread-unsafe data could be submitted into inventory and then accessed as a reference simultaneously from multiple threads, potentially leading to race conditions or memory corruption (GitHub PR).

The vulnerability could result in undefined behavior, including potential double-free corruption or memory safety violations when thread-unsafe data is accessed concurrently. This was demonstrated through a proof-of-concept that showed how using a Cell type (which is not thread-safe) could lead to program abortion due to memory corruption (GitHub PR).

The vulnerability has been patched in version 0.2.0 of the inventory package. The fix involves enforcing that data submitted by the caller into inventory implements the Sync trait, preventing thread-unsafe data from being stored in the registry (RustSec Advisory).