Miggo Logo
Miggo Vulnerability Database
CVE-2021-45714

CVE-2021-45714: Use After Free in rusqlite

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-45714
GHSA ID
GHSA-f6f2-3w33-54r9
EPSS Score
0.51056%
CWE
CWE-416
Published
1/6/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rusqliterust>= 0.25.0, < 0.25.40.25.4
rusqliterust>= 0.26.0, < 0.26.20.26.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The RustSec advisory RUSTSEC-2021-0128 explicitly lists these functions as vulnerable due to incorrect lifetime bounds on closure parameters. The GitHub issue #1048 provides a concrete demonstration of the UAF vulnerability in update_hook. All listed functions share the same pattern of registering callbacks that might outlive their captured environment due to overly relaxed lifetime constraints. The advisory's detailed function list combined with reproduction evidence gives high confidence in these identifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** rusqlit* *r*t* *.**.x ***or* *.**.* *n* *.**.x ***or* *.**.* *or Rust. *r**t*_***r***t*_*un*tion **s * us*-**t*r-*r**.

Reasoning

T** RustS** **visory RUSTS**-****-**** *xpli*itly lists t**s* `*un*tions` *s vuln*r**l* *u* to in*orr**t li**tim* *oun*s on *losur* p*r*m*t*rs. T** *it*u* issu* #**** provi**s * *on*r*t* **monstr*tion o* t** U** vuln*r**ility in `up**t*_*ook`. *ll li