CVE-2021-28305

Vulnerability

Description

The diesel crate for Rust provides a safe ORM and query builder. A use-after-free vulnerability exists in the SQLite backend (CVE-2021-28305). The root cause is that the library misuses the sqlite3_column_name function: it stores the returned string pointers as string slices before the first call to sqlite3_step(). According to SQLite documentation, the pointer is only valid until the first call to sqlite3_step(), after which it becomes invalid. This leads to a use-after-free when the stored slice is accessed later [2].

Exploitation

The vulnerability is remotely exploitable without authentication or user interaction. An attacker could craft a malicious SQL query that triggers the use-after-free when processed by an application using the diesel SQLite backend. The attack complexity is low, meaning exploitation does not require special conditions [3].

Impact

Successful exploitation can lead to memory corruption, potentially allowing an attacker to execute arbitrary code, read sensitive data, or cause a denial of service. The CVSS v3.1 base score is 9.8 (Critical) with high impact on confidentiality, integrity, and availability [3].

Mitigation

The issue is fixed in diesel version 1.4.6. Users of the SQLite backend should update to this version or later. There is no known workaround, and the vulnerability is patched in the latest releases [2][3].