Security restrictions bypass in Rust Unicode implementation



Published: 2021-11-02 | Updated: 2023-09-18
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-42694
CWE-ID CWE-20
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Rust Programming Language
Universal components / Libraries / Programming Languages & Components

Vendor Rust Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU57849

Risk: Low

CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42694

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows an attacker to bypass certain security checks.

The vulnerability exists in the character definitions of the Unicode Specification. The specification allows an attacker to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Rust Programming Language: 0.11.0 - 1.52.1

External links

http://blog.rust-lang.org/2021/11/01/cve-2021-42574.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###