Login Sign Up

CVE-2021-45682

9.8 CRITICAL

📋 TL;DR

CVE-2021-45682 is a memory safety vulnerability in the bronzedb-protocol Rust crate where ReadKVExt may read from uninitialized memory locations. This could allow attackers to read sensitive data from memory or potentially execute arbitrary code. Anyone using affected versions of the bronzedb-protocol crate in Rust applications is vulnerable.

💻 Affected Systems

Products:
  • bronzedb-protocol Rust crate
Versions: All versions through 2021-01-03
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any Rust application that imports and uses the affected bronzedb-protocol crate versions is vulnerable regardless of configuration.

📦 What is this software?

Bronzedb Protocol by Bronzedb Protocol Project

View all CVEs affecting Bronzedb Protocol →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or service disruption.

🟠

Likely Case

Information disclosure of sensitive memory contents, potentially including credentials, keys, or application data.

🟢

If Mitigated

Limited impact with proper memory isolation and sandboxing, potentially just crashes or degraded performance.

🌐 Internet-Facing: HIGH - Network-accessible services using this crate could be exploited remotely.
🏢 Internal Only: MEDIUM - Internal services could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering the specific uninitialized memory read, which may be complex depending on application usage patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2021-01-03

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0084.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use bronzedb-protocol version > 0.1.0 (post 2021-01-03). 2. Run 'cargo update bronzedb-protocol'. 3. Rebuild and redeploy your application. 4. Restart affected services.

🔧 Temporary Workarounds

Remove or replace dependency

all

Remove bronzedb-protocol from your project or replace with alternative implementation

cargo remove bronzedb-protocol

🧯 If You Can't Patch

  • Isolate affected applications in containers or VMs with minimal privileges
  • Implement network segmentation to limit access to vulnerable services

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for bronzedb-protocol dependency with version <= 0.1.0 (2021-01-03)

Check Version:

grep bronzedb-protocol Cargo.lock

Verify Fix Applied:

Verify bronzedb-protocol version > 0.1.0 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

  • Application crashes, memory access violations, unexpected process termination

Network Indicators:

  • Unusual outbound connections from affected services

SIEM Query:

process.name="your_application" AND (event.code="SIGSEGV" OR event.code="ACCESS_VIOLATION")

📊 Metadata

CVE ID: CVE-2021-45682
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-908
Published: December 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45682, you might also want to check these:

CVE-2021-26305 9.8

CVE-2021-26305 is a deserialization vulnerability in the cdr crate for Rust that allows a malicious ...

Same vulnerability type (CWE-908)
CVE-2020-36443 9.8

This vulnerability in libp2p-deflate crate for Rust allows reading uninitialized memory due to passi...

Same vulnerability type (CWE-908)
CVE-2020-36452 9.8

This vulnerability in the array-tools Rust crate allows attackers to cause memory corruption by expl...

Same vulnerability type (CWE-908)