Miggo Logo

CVE-2021-45714: Use After Free in rusqlite

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.51056%
Published
1/6/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rusqliterust>= 0.25.0, < 0.25.40.25.4
rusqliterust>= 0.26.0, < 0.26.20.26.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The RustSec advisory RUSTSEC-2021-0128 explicitly lists these functions as vulnerable due to incorrect lifetime bounds on closure parameters. The GitHub issue #1048 provides a concrete demonstration of the UAF vulnerability in update_hook. All listed functions share the same pattern of registering callbacks that might outlive their captured environment due to overly relaxed lifetime constraints. The advisory's detailed function list combined with reproduction evidence gives high confidence in these identifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** rusqlit* *r*t* *.**.x ***or* *.**.* *n* *.**.x ***or* *.**.* *or Rust. *r**t*_***r***t*_*un*tion **s * us*-**t*r-*r**.

Reasoning

T** RustS** **visory RUSTS**-****-**** *xpli*itly lists t**s* `*un*tions` *s vuln*r**l* *u* to in*orr**t li**tim* *oun*s on *losur* p*r*m*t*rs. T** *it*u* issu* #**** provi**s * *on*r*t* **monstr*tion o* t** U** vuln*r**ility in `up**t*_*ook`. *ll li