GHSA-jf43-3v8j-qwwr: 
Rust vulnerability analysis and mitigation

A high severity vulnerability was discovered in the multiqueue Rust package affecting versions 0.3.2 and below. The vulnerability, identified as GHSA-jf43-3v8j-qwwr and RUSTSEC-2020-0143, was reported on December 25, 2020, published to the GitHub Advisory Database on August 25, 2021, and last updated on June 13, 2023. The issue involves unconditional implementation of Send for types used in queue implementations, including InnerSend, InnerRecv, FutInnerSend, and FutInnerRecv (GitHub Advisory, RustSec Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical issue stems from the crate's implementation which unconditionally implements Send for various queue implementation types, potentially allowing non-Send types to be transmitted between threads. The vulnerability is categorized under CWE-362 and affects the core functionality of the queue implementation (GitHub Advisory, RustSec Advisory).

The vulnerability can lead to data race bugs and other undefined behavior when non-Send types are transmitted between threads. This poses significant risks to system integrity, confidentiality, and availability, as reflected in the high CVSS metrics for these impact categories (RustSec Advisory).

Currently, there are no patched versions available for this vulnerability. The issue was initially reported in the multiqueue2 crate (a fork of multiqueue) and was fixed in version 0.1.7 of that fork, but the original multiqueue crate remains unpatched (GitHub Issue).