CVE-2021-29935 – rocket

Package

Manager: cargo
Name: rocket
Vulnerable Version: >=0 <0.4.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0041 pctl0.60543

Details

Use after free in Rocket Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function. This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function. If the user provided panicked, then the assumption used by the function was no longer true and the transmute to &'static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding. This flaw was corrected in commit `e325e2f` by using a guard object to ensure that the &'static str was dropped inside the function.

Metadata

Created: 2021-08-25T20:54:20Z
Modified: 2023-06-13T20:47:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vcw4-8ph6-7vw8/GHSA-vcw4-8ph6-7vw8.json
CWE IDs: ["CWE-416"]
Alternative ID: GHSA-vcw4-8ph6-7vw8
Finding: F138
Auto approve: 1