Multiple vulnerabilities in Cargo for Rust



Published: 2022-09-28
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-36114
CVE-2022-36113
CWE-ID CWE-400
CWE-61
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cargo
/

Vendor The Rust Programming Language

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU67718

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36114

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing .zip files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack, aka "zip bomb" attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cargo: 0.1.0 - 0.64.0

External links

http://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp
http://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) UNIX symbolic link following

EUVDB-ID: #VU67717

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36113

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a remote attacker to corrupt arbitrary files on the system.

The vulnerability exists due to a symlink following issue. A remote attacker can add a malicious ".cargo-ok" symbolic link into the package, point the link to an arbitrary file on the system and corrupt it during package extraction.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cargo: 0.1.0 - 0.64.0

External links

http://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
http://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###