CVE-2020-35872 – CVE-2020-35872 is a memory safety vulnerability... (How to Fix)

📋 TL;DR

CVE-2020-35872 is a memory safety vulnerability in the rusqlite crate for Rust that allows memory corruption through improper handling of repr(Rust) types. This affects any Rust application using rusqlite versions before 0.23.0 for SQLite database operations. Attackers could potentially execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:

rusqlite Rust crate

Versions: All versions before 0.23.0

Operating Systems: All platforms supported by Rust

Default Config Vulnerable: ⚠️ Yes

Notes: Any Rust application using vulnerable rusqlite versions is affected regardless of configuration.

📦 What is this software?

Rusqlite by Rusqlite Project

View all CVEs affecting Rusqlite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service due to memory corruption, potentially leading to data corruption in SQLite databases.

🟢

If Mitigated

Limited impact with proper sandboxing and privilege separation, though memory corruption could still cause crashes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious SQLite database operations that trigger the memory safety issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.23.0 and later

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0014.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require rusqlite >= 0.23.0
2. Run 'cargo update rusqlite'
3. Rebuild and redeploy your application
4. Restart any running services using the updated application

🔧 Temporary Workarounds

Disable vulnerable functionality

all

Avoid using repr(Rust) types with rusqlite operations

🧯 If You Can't Patch

Implement strict input validation on all SQLite database operations
Run vulnerable applications in sandboxed environments with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for rusqlite dependency version

Check Version:

grep rusqlite Cargo.lock | grep version

Verify Fix Applied:

Verify rusqlite version is 0.23.0 or higher in Cargo.lock

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory corruption errors
Segmentation faults in Rust processes using SQLite

Network Indicators:

Unusual database query patterns to SQLite interfaces

SIEM Query:

process.name:rust AND event.type:crash AND process.cmdline:*rusqlite*

📊 Metadata

CVE ID: CVE-2020-35872

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 Release Notes,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0014.html Third Party Advisory
https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 Release Notes,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0014.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON