CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43402 – Rust OS Command Injection/Argument Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-43402
04 Sep 2024 — Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the t... • https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 80%CPEs: 1EXPL: 10CVE-2024-24576 – Rusts's `std::process::Command` did not properly escape arguments of batch files on Windows
https://notcve.org/view.php?id=CVE-2024-24576
09 Apr 2024 — Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted argument... • https://github.com/aydinnyunus/CVE-2024-24576-Exploit • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40030 – Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports
https://notcve.org/view.php?id=CVE-2023-40030
24 Aug 2023 — Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative registries. ... • https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.9EPSS: 1%CPEs: 2EXPL: 1CVE-2023-38497 – Cargo not respecting umask when extracting crate archives
https://notcve.org/view.php?id=CVE-2023-38497
04 Aug 2023 — Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 includ... • https://github.com/lucas-cauhe/cargo-perm • CWE-276: Incorrect Default Permissions CWE-278: Insecure Preserved Inherited Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46176 – Cargo did not verify SSH host keys
https://notcve.org/view.php?id=CVE-2022-46176
11 Jan 2023 — Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. • http://www.openwall.com/lists/oss-security/2023/11/05/6 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.4EPSS: 4%CPEs: 1EXPL: 0CVE-2022-36113 – Extracting malicious crates can corrupt arbitrary files
https://notcve.org/view.php?id=CVE-2022-36113
14 Sep 2022 — Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write... • https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36114 – Extracting malicious crates can fill the file system
https://notcve.org/view.php?id=CVE-2022-36114
14 Sep 2022 — Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabiliti... • https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 9%CPEs: 7EXPL: 1CVE-2022-24713 – Regular expression denial of service in Rust's regex crate
https://notcve.org/view.php?id=CVE-2022-24713
08 Mar 2022 — regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time ... • https://github.com/ItzSwirlz/CVE-2022-24713-POC • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 3CVE-2022-21658 – Race condition in std::fs::remove_dir_all in rustlang
https://notcve.org/view.php?id=CVE-2022-21658
20 Jan 2022 — Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this v... • https://github.com/sagittarius-a/cve-2022-21658 • CWE-363: Race Condition Enabling Link Following CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-29922 – rust: incorrect parsing of extraneous zero characters at the beginning of an IP address string
https://notcve.org/view.php?id=CVE-2021-29922
07 Aug 2021 — library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. El archivo library/std/src/net/parser.rs en Rust versiones anteriores a 1.53.0, no considera apropiadamente los caracteres cero extraños al principio de una cadena de direcciones IP, lo que (en algunas situaciones) permi... • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis • CWE-20: Improper Input Validation •