CVE-2021-45701

Vulnerability

The tremor-script crate before version 0.11.6 contains a use-after-free vulnerability when using patch or merge operations on state and assigning the result back to state. Specifically, constructs like let state = merge state of event end; or let state = patch state of insert event.key => event.value end; trigger an in-place optimization that manipulates the target value without cloning it. This optimization is safe only when operating on event data or static data, but with the introduction of state (which persists across events), it can lead to memory unsafety [1][3].

Exploitation

An attacker who can control the event data in a tremor-script pipeline can trigger the vulnerable code path. No special authentication or network position beyond normal pipeline operation is required. By crafting specific event data that causes the patch or merge to reference event fields within the assignment-back pattern, the attacker can cause the Value structure to maintain references to memory that has been freed, leading to a use-after-free [1][3].

Impact

Successful exploitation results in memory corruption and potential memory exposure. The attacker may be able to read freed memory or cause undefined behavior, potentially leading to information disclosure or denial of service. The vulnerability affects the tremor-script crate, which is used in the Tremor runtime (tremor-rs/tremor-runtime). The CVSS score is yet to be disclosed, but the advisory categorizes it under memory corruption and memory exposure [1][2][3].

Mitigation

The vulnerability is fixed in version 0.11.6 of the tremor-script crate. The fix involves removing the in-place optimization for patch and merge operations, as described in pull request #1217 on the tremor-rs/tremor-runtime repository [1][4]. Versions earlier than 0.7.2 are unaffected because they did not include the vulnerable optimization [1][3]. Users should upgrade to 0.11.6 or later to mitigate the issue.