CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43402 – Rust OS Command Injection/Argument Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-43402
Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. • https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html https://github.com/rust-lang/rust/security/advisories/GHSA-2xg3-7mm6-98jj https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/file-folder-name-whitespace-characters • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 8CVE-2024-24576 – Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows
https://notcve.org/view.php?id=CVE-2024-24576
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. • https://github.com/aydinnyunus/CVE-2024-24576-Exploit https://github.com/frostb1ten/CVE-2024-24576-PoC https://github.com/brains93/CVE-2024-24576-PoC-Python https://github.com/mishalhossin/CVE-2024-24576-PoC-Python https://github.com/lpn/CVE-2024-24576.jl https://github.com/foxoman/CVE-2024-24576-PoC---Nim https://github.com/SheL3G/CVE-2024-24576-PoC-BatBadBut https://github.com/Gaurav1020/CVE-2024-24576-PoC-Rust http://www.openwall.com/lists/oss-security/2024/04/0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40030 – Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports
https://notcve.org/view.php?id=CVE-2023-40030
Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected. Rust 1.60.0 introduced `cargo build --timings`, which produces a report of how long the different steps of the build process took. • https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 https://github.com/rust-lang/cargo/commit/f975722a0eac934c0722f111f107c4ea2f5c4365 https://github.com/rust-lang/cargo/pull/12291 https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 2CVE-2022-21658 – Race condition in std::fs::remove_dir_all in rustlang
https://notcve.org/view.php?id=CVE-2022-21658
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. • https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html https://github.com/rust-lang/rust/pull/93110 https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946 https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714 https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2 https://lists.fedoraproject.org/archives/list/package-announc • CWE-363: Race Condition Enabling Link Following CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-29922 – rust: incorrect parsing of extraneous zero characters at the beginning of an IP address string
https://notcve.org/view.php?id=CVE-2021-29922
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. El archivo library/std/src/net/parser.rs en Rust versiones anteriores a 1.53.0, no considera apropiadamente los caracteres cero extraños al principio de una cadena de direcciones IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretación octal inesperada A flaw was found in rust. Extraneous zero characters at the beginning of an IP address string are not properly considered which can allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity. • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html https://github.com/rust-lang/rust/issues/83648 https://github.com/rust-lang/rust/pull/83652 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md https://security.gentoo.org/glsa/202210-09 https://access.redhat.com/security/cve/CVE-2021-29922 https://bugzilla.redhat.com/show_bug.cgi?id=1991962 • CWE-20: Improper Input Validation •