CVE-2021-45701: 
Rust vulnerability analysis and mitigation

An issue was discovered in the tremor-script crate before version 0.11.6 for Rust, identified as CVE-2021-45701. The vulnerability was reported on September 16, 2021, and involves a use-after-free condition that occurs during patch operations. The vulnerability affects tremor-script versions from 0.7.2 up to (excluding) 0.11.6 (NVD, RustSec Advisory).

The vulnerability stems from an optimization in the tremor-script language where patch operations on state variables could maintain references to freed memory. The Value struct, which handles event data, uses borrowed strings (beef::Cow<'lifetime, str>) referencing the event's underlying Vec. While this optimization was safe for event data or static data, the introduction of state to tremor-script created scenarios where Value data could persist longer than an event's lifetime, leading to invalid memory references (RustSec Advisory). The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When event data is merged or patched into state without proper cloning, the operation can result in references to previously freed memory regions. This allows potential access to freed memory regions and the ability to extract their content over the network (RustSec Advisory).

A temporary workaround is available for cases where immediate upgrade isn't possible. Instead of directly reassigning to state, users can introduce a temporary variable: let tmp = merge state of event end; let state = tmp. The vulnerability was permanently fixed in tremor-script version 0.11.6 through commit 1a2efcd, which removes the optimization and implements mandatory cloning of the target expression during Merge or Patch operations (RustSec Advisory).