SB2022092832 - Multiple vulnerabilities in Cargo for Rust
Published: September 28, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2022-36114)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing .zip files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack, aka "zip bomb" attack.
2) UNIX symbolic link following (CVE-ID: CVE-2022-36113)
The vulnerability allows a remote attacker to corrupt arbitrary files on the system.
The vulnerability exists due to a symlink following issue. A remote attacker can add a malicious ".cargo-ok" symbolic link into the package, point the link to an arbitrary file on the system and corrupt it during package extraction.
Remediation
Install update from vendor's website.
References
- https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp
- https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7
- https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
- https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j