SUSE update for rust, rust1.72

Published: 2023-09-21

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2023-40030
CWE-ID	CWE-79
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Development Tools Module Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system rust1.72-test Operating systems & Components / Operating system package or component rust1.72 Operating systems & Components / Operating system package or component rust Operating systems & Components / Operating system package or component cargo Operating systems & Components / Operating system package or component rust1.72-debuginfo Operating systems & Components / Operating system package or component cargo1.72-debuginfo Operating systems & Components / Operating system package or component cargo1.72 Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site scripting

EUVDB-ID: #VU96700

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-40030

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when downloading Rust project dependencies with Cargo. A remote attacker can execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation

Update the affected package rust, rust1.72 to the latest version.

Vulnerable software versions

Development Tools Module: 15-SP4 - 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5

SUSE Linux Enterprise Server 15: SP4 - SP5

SUSE Linux Enterprise Real Time 15: SP4 - SP5

SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5

SUSE Linux Enterprise Desktop 15: SP4 - SP5

openSUSE Leap: 15.4 - 15.5

SUSE Manager Retail Branch Server: 4.3

SUSE Manager Server: 4.3

SUSE Manager Proxy: 4.3

rust1.72-test: before 1.72.0-150400.9.3.1

rust1.72: before 1.72.0-150400.9.3.1

rust: before 1.72.0-150400.24.24.1

cargo: before 1.72.0-150400.24.24.1

rust1.72-debuginfo: before 1.72.0-150400.9.3.1

cargo1.72-debuginfo: before 1.72.0-150400.9.3.1

cargo1.72: before 1.72.0-150400.9.3.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2023/suse-su-20233722-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.