CVE-2021-45702

Name of the Vulnerable Software and Affected Versions: tremor-script versions prior to 0.11.6

Description: The issue is related to a use-after-free error in the tremor-script crate for Rust. It affects the Merge and Patch language constructs when they reference the event and assign the result back to the target expression. The optimization to manipulate the target value in-place, instead of cloning it, can lead to accessing already freed regions of memory. This allows access to those already freed regions of memory and to get their content out over the wire.

Recommendations: For versions prior to 0.11.6, upgrade to version 0.11.6 or later to fix the issue. As a temporary workaround, avoid the optimization by introducing a temporary variable and not immediately reassigning to state, for example:

let tmp = merge state of event end;
let state = tmp