CVE-2021-27377

Root

Cause

The vulnerability is a use-after-free in the yottadb crate for Rust, versions prior to 1.2.0. The issue resides in the ydb_subscript_next_st and ydb_subscript_prev_st wrapper functions. As detailed in the advisory [2] and issue tracker [3], when the internal buffer t (which may point to self.variable) is resized via reserve(), the operation can reallocate the underlying memory. This invalidates a previously obtained pointer to the variable name (varname.as_ptr()), which is then passed to the subsequent ydb_subscript_next_st call, resulting in a use-after-free [3].

Attack

Vector

An attacker can trigger this vulnerability by providing a specially crafted sequence of subscript operations that cause the internal buffer to be reallocated during the loop inside sub_self_call. No authentication is required, and the attack can be carried out over the network [2]. The CVSS score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [2].

Impact

Successful exploitation allows an attacker to achieve arbitrary read/write to freed memory, potentially leading to complete compromise of confidentiality, integrity, and availability of the application using the vulnerable yottadb crate. The RustSec advisory classifies this as a memory-corruption vulnerability [2].

Mitigation

The issue was fixed in yottadb version 1.2.0 [2]. Users should upgrade to at least 1.2.0 to remediate the vulnerability. The advisory also notes that no workaround exists, as the fix requires a version bump [2].