CVE-2020-35870 – CVE-2020-35870 is a use-after-free vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2020-35870 is a use-after-free vulnerability in the rusqlite crate for Rust that allows memory corruption through the Auxdata API. This can lead to arbitrary code execution, denial of service, or information disclosure. Any Rust application using rusqlite versions before 0.23.0 is affected.

💻 Affected Systems

Products:

rusqlite Rust crate

Versions: All versions before 0.23.0

Operating Systems: All operating systems where Rust applications run

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the Auxdata API functionality.

📦 What is this software?

Rusqlite by Rusqlite Project

View all CVEs affecting Rusqlite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unpredictable behavior.

🟢

If Mitigated

Limited impact if proper memory safety controls and sandboxing are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific API usage patterns and understanding of Rust memory management.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.23.0 and later

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0014.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require rusqlite >= 0.23.0
2. Run 'cargo update rusqlite'
3. Rebuild and redeploy your application
4. Restart affected services

🔧 Temporary Workarounds

Avoid Auxdata API

all

Temporarily avoid using the Auxdata API functions until patched

🧯 If You Can't Patch

Implement strict input validation and sanitization for all database operations
Deploy application in sandboxed/containerized environments with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for rusqlite version < 0.23.0

Check Version:

grep rusqlite Cargo.lock | grep version

Verify Fix Applied:

Verify rusqlite version >= 0.23.0 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory corruption errors
Unexpected process termination

Network Indicators:

Unusual database query patterns
Increased error rates in database operations

SIEM Query:

source="application.log" AND ("segmentation fault" OR "use-after-free" OR "memory corruption")

📊 Metadata

CVE ID: CVE-2020-35870

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 Release Notes,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0014.html Third Party Advisory
https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 Release Notes,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0014.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35870, you might also want to check these: