Reported

March 5, 2021

Issued

March 5, 2021 (last modified: June 13, 2023)

Package

diesel (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Keywords

#use-after-free

Aliases

• CVE-2021-28305
• GHSA-j8q9-5rp9-4mv9

References

• https://github.com/diesel-rs/diesel/pull/2663

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• >=1.4.6

Affected Functions

Version

diesel::SqliteConnection::query_by_name

• <1.4.6

Description

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.

Advisory available under CC0-1.0 license.