CVE-2021-45717

Name of the Vulnerable Software and Affected Versions: rusqlite versions 0.25.0 through 0.25.3 rusqlite versions 0.26.0 through 0.26.1

Description: The issue exists in the rusqlite crate for Rust, where several closure-accepting functions have a too relaxed lifetime bound. This can allow Rust code to access objects on the stack after they have been dropped, specifically when a closure referencing borrowed values on the stack is passed to one of these functions. The impacted functions include Connection::create scalar function, Connection::create aggregate function, Connection::create window function, Connection::commit hook, Connection::rollback hook, Connection::update hook, and Connection::create collation.

Recommendations: For rusqlite versions 0.25.0 through 0.25.3, upgrade to version 0.25.4 or newer. For rusqlite versions 0.26.0 through 0.26.1, upgrade to version 0.26.2 or newer. As a temporary workaround, consider avoiding the use of the impacted functions until a patch is available.