CVE-2024-27284 – This is a use-after-free vulnerability in the c... (How to Fix)

Q: What is the severity of CVE-2024-27284?

CVE-2024-27284 has a CVSS score of 7.5 (HIGH). This is a use-after-free vulnerability in the cassandra-rs Rust driver for Cassandra databases. When code accesses an iterator item after the iterator has advanced, it accesses freed memory causing undefined behavior. This affects Rust applications using vulnerable versions of the cassandra-rs driver to connect to Cassandra databases.

📋 TL;DR

This is a use-after-free vulnerability in the cassandra-rs Rust driver for Cassandra databases. When code accesses an iterator item after the iterator has advanced, it accesses freed memory causing undefined behavior. This affects Rust applications using vulnerable versions of the cassandra-rs driver to connect to Cassandra databases.

💻 Affected Systems

Products:

cassandra-rs Rust driver

Versions: All versions before 3.0.0

Operating Systems: All operating systems running Rust applications with cassandra-rs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rust applications using the cassandra-rs driver. The vulnerability is in the driver code itself, not in Cassandra server.

📦 What is this software?

Cassandra Rs by Cassandra Rs Project

View all CVEs affecting Cassandra Rs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data corruption, or service disruption through memory corruption.

🟠

Likely Case

Application crashes, memory corruption leading to data integrity issues, or denial of service.

🟢

If Mitigated

Limited to application instability if proper memory safety controls and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires attacker to control or influence iterator usage patterns in vulnerable Rust code. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0

Vendor Advisory: https://github.com/Metaswitch/cassandra-rs/security/advisories/GHSA-x9xc-63hg-vcfq

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify cassandra-rs version 3.0.0 or higher. 2. Run 'cargo update' to fetch the new version. 3. Rebuild and redeploy your Rust application. 4. Restart any running services using the updated application.

🔧 Temporary Workarounds

Avoid iterator reuse patterns

all

Modify code to avoid accessing iterator items after advancing the iterator. Store needed values before advancing.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data processed through cassandra-rs iterators
Deploy application in sandboxed/containerized environments with memory protection controls

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for cassandra-rs dependency version. If version is <3.0.0, the application is vulnerable.

Check Version:

grep -A2 -B2 'cassandra-rs' Cargo.toml || grep 'cassandra-rs' Cargo.lock

Verify Fix Applied:

Verify cassandra-rs version is 3.0.0 or higher in Cargo.lock after update. Test iterator usage patterns in your application code.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in application logs
Unexpected Rust panic messages related to iterator access

Network Indicators:

Unusual database query patterns from application
Increased failed Cassandra connection attempts

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "use-after-free" OR "iterator" AND "panic")

📊 Metadata

CVE ID: CVE-2024-27284

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: February 29, 2024

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27284, you might also want to check these: