GHSA-VCW4-8PH6-7VW8
Vulnerability from github – Published: 2021-08-25 20:54 – Updated: 2023-06-13 20:47Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function.
This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function.
If the user provided panicked, then the assumption used by the function was no longer true and the transmute to &'static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding.
This flaw was corrected in commit e325e2f by using a guard object to ensure that the &'static str was dropped inside the function.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rocket"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29935"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:09:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of this crate transmuted a \u0026str to a \u0026\u0027static str before pushing it into a StackVec, this value was then popped later in the same function.\n\nThis was assumed to be safe because the reference would be valid while the method\u0027s stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function.\n\nIf the user provided panicked, then the assumption used by the function was no longer true and the transmute to \u0026\u0027static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding.\n\nThis flaw was corrected in commit `e325e2f` by using a guard object to ensure that the \u0026\u0027static str was dropped inside the function.",
"id": "GHSA-vcw4-8ph6-7vw8",
"modified": "2023-06-13T20:47:54Z",
"published": "2021-08-25T20:54:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29935"
},
{
"type": "WEB",
"url": "https://github.com/SergioBenitez/Rocket/issues/1534"
},
{
"type": "WEB",
"url": "https://github.com/SergioBenitez/Rocket/commit/b53a906a8e170fe9b151381c66a76a872c419f9e"
},
{
"type": "WEB",
"url": "https://github.com/SergioBenitez/Rocket/commit/e325e2fce4d9f9f392761e9fb58b418a48cef8bb"
},
{
"type": "PACKAGE",
"url": "https://github.com/SergioBenitez/Rocket"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0044.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Use after free in Rocket"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.