CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43402 – Rust OS Command Injection/Argument Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-43402
Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. • https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html https://github.com/rust-lang/rust/security/advisories/GHSA-2xg3-7mm6-98jj https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/file-folder-name-whitespace-characters • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 9CVE-2024-24576 – Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows
https://notcve.org/view.php?id=CVE-2024-24576
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. • https://github.com/aydinnyunus/CVE-2024-24576-Exploit https://github.com/frostb1ten/CVE-2024-24576-PoC https://github.com/brains93/CVE-2024-24576-PoC-Python https://github.com/mishalhossin/CVE-2024-24576-PoC-Python https://github.com/lpn/CVE-2024-24576.jl https://github.com/foxoman/CVE-2024-24576-PoC---Nim https://github.com/SheL3G/CVE-2024-24576-PoC-BatBadBut https://github.com/Gaurav1020/CVE-2024-24576-PoC-Rust https://github.com/mishl-dev/CVE-2024-24576-PoC-Python& • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40030 – Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports
https://notcve.org/view.php?id=CVE-2023-40030
Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. Users who solely depend on crates.io are unaffected. Rust 1.60.0 introduced `cargo build --timings`, which produces a report of how long the different steps of the build process took. • https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 https://github.com/rust-lang/cargo/commit/f975722a0eac934c0722f111f107c4ea2f5c4365 https://github.com/rust-lang/cargo/pull/12291 https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38497 – Cargo not respecting umask when extracting crate archives
https://notcve.org/view.php?id=CVE-2023-38497
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`. • https://en.wikipedia.org/wiki/Umask https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff https://github.com/rust-lang/cargo/pull/12443 https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4 https://lists.fedoraproject.org/archives/list/package-announce@lists.f • CWE-276: Incorrect Default Permissions CWE-278: Insecure Preserved Inherited Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46176 – Cargo did not verify SSH host keys
https://notcve.org/view.php?id=CVE-2022-46176
Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. • http://www.openwall.com/lists/oss-security/2023/11/05/6 http://www.openwall.com/lists/oss-security/2023/11/06/5 https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176 • CWE-347: Improper Verification of Cryptographic Signature •