CVE-2024-27284

EPSS 0.82%
Veröffentlicht 29.02.2024 01:44:19
Zuletzt bearbeitet 01.04.2025 15:20:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

cassandra-rs non-idiomatic use of iterators leads to use after free

cassandra-rs is a Cassandra (CQL) driver for Rust. Code that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour.  The problem has been fixed in version 3.0.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cassandra-rs Project ≫ Cassandra-rs SwPlatformrust Version < 3.0.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.82%	0.523

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://github.com/Metaswitch/cassandra-rs/commit/ae054dc8044eac9c2c7ae2b1ab154b53ca7f8df7

Patch

https://github.com/Metaswitch/cassandra-rs/security/advisories/GHSA-x9xc-63hg-vcfq

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-27284

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27284

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27284

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-27284