PT-2021-24289 · Rusqlite · Rusqlite

Published

2021-12-07

Updated

2022-06-17

CVE-2021-45715

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: rusqlite versions 0.25.0 through 0.25.3 rusqlite versions 0.26.0 through 0.26.1

Description: The issue is related to several closure-accepting functions in the rusqlite crate, which have a too relaxed lifetime bound. This can allow Rust code to access objects on the stack after they have been dropped, resulting in a use-after-free issue. The impacted functions include create scalar function, create aggregate function, create window function, commit hook, rollback hook, update hook, and create collation.

Recommendations: For rusqlite versions 0.25.0 through 0.25.3, upgrade to version 0.25.4 or newer. For rusqlite versions 0.26.0 through 0.26.1, upgrade to version 0.26.2 or newer.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2021-45715

GHSA-4QR3-M7WW-HH9G

GHSA-87XH-9Q6H-R5CC

GHSA-92CX-4XM7-JR9M

GHSA-CM8G-544F-P9X9

GHSA-F6F2-3W33-54R9

GHSA-G4G4-3PQW-8M7F

GHSA-G87R-23VW-7F87

GHSA-Q89G-4VHH-MVVM

RUSTSEC-2021-0128

Affected Products

Rusqlite

PT-2021-24289 · Rusqlite · Rusqlite

CVE-2021-45715

Weakness Enumeration

Related Identifiers

Affected Products

References · 28