CVE-2021-39228: 
Rust vulnerability analysis and mitigation

CVE-2021-39228 is a memory safety vulnerability discovered in Tremor and the tremor-script crate versions < 0.11.6 and > 0.7.2. The vulnerability occurs when using 'patch' or 'merge' operations on 'state' and assigning the result back to 'state', which could lead to maintaining references to memory that might have been freed (Tremor Advisory).

The vulnerability affects two specific tremor-script language constructs: merge operations where the result is assigned back to the target expression and references the event (e.g., 'let state = merge state of event end'), and patch operations where the result is assigned back to the target expression and patch operations reference the event. The issue stems from an optimization that manipulated the target value in-place instead of cloning it, leading to potential access to freed memory regions (Tremor Advisory). The vulnerability has a CVSS v3.1 base score of 6.5 (Moderate) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

The vulnerability allows access to freed memory regions and potentially exposes their content over the network. When state data contains references to previous events that have been freed, these memory regions can be accessed and transmitted over TCP or HTTP, leading to potential information disclosure and integrity issues (Tremor Advisory).

The issue has been patched in tremor-script version 0.11.6. If upgrading is not possible, a workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to state (e.g., 'let tmp = merge state of event end; let state = tmp'). The fix removes the optimization and always clones the target expression of a Merge or Patch operation (Tremor Release).