CVE-2021-28305

Name of the Vulnerable Software and Affected Versions: diesel crate versions prior to 1.4.6

Description: An issue was discovered in the diesel crate for Rust, where there is a use-after-free in the SQLite backend. This occurs because the semantics of sqlite3 column name are not followed, specifically regarding the validity of the returned string pointer. The pointer is valid until the prepared statement is destroyed or reprepared, but in the diesel crate, the field names are stored for later use after sqlite3 step() is called, which invalidates the pointer.

Recommendations: For versions prior to 1.4.6, update to version 1.4.6 or later to resolve the issue. As a temporary workaround, consider modifying the query by name infrastructure to avoid storing the field names as string slices for later use, or ensure that sqlite3 column name is not called after sqlite3 step().