GHSA-vcw4-8ph6-7vw8

Suggest an improvement
Source
https://github.com/advisories/GHSA-vcw4-8ph6-7vw8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vcw4-8ph6-7vw8/GHSA-vcw4-8ph6-7vw8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vcw4-8ph6-7vw8
Aliases
Published
2021-08-25T20:54:20Z
Modified
2023-11-08T04:05:43.819286Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Use after free in Rocket
Details

Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function.

This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function.

If the user provided panicked, then the assumption used by the function was no longer true and the transmute to &'static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding.

This flaw was corrected in commit e325e2f by using a guard object to ensure that the &'static str was dropped inside the function.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-416"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T17:09:45Z"
}
References

Affected packages

crates.io / rocket

Package

Name
rocket
View open source insights on deps.dev
Purl
pkg:cargo/rocket

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.7