[GHSA-h5x4-m2qf-r4f2] Diesel's SQLite backend has possible UTF-8 corruption

[weiznich]

Updates

• CVSS v4
• CWEs
• Severity

Comments
This is no SQL injection, but an broken safety invariant while deserializing data coming from the database.

Any attacker would need to have arbitrary write access to the database so that they can insert arbitrary binary data into a column where the application code using diesel expects an UTF-8 string. That usually requires that the attacker circumvents the normal way to insert data into this field as it can be assumed that almost always a string (that is utf-8) is used for that purpose. Based on this I suggest to change Attack Requirements (AT) to present and also Integrity to none (as there is no way that I'm aware of to use this to actually modify data as everything happens during deserialization)

[Copilot]

Pull request overview

Updates the GitHub-reviewed advisory record for GHSA-h5x4-m2qf-r4f2 (Diesel SQLite UTF-8 corruption) to reflect revised severity classification metadata (CVSS v4 vector, CWE list, and GitHub “severity”).

Changes:

• Updates the CVSS v4 vector (notably AT and impact metrics).
• Removes the previously assigned CWE (CWE-89) and sets cwe_ids to an empty list.
• Lowers database_specific.severity from HIGH to LOW.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[weiznich]

I don't think this correct, given the requirements to trigger this at all.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.