Anolis OS update for rust
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-24576 |
| CWE-ID | CWE-78 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system rust-toolset Operating systems & Components / Operating system package or component rust-std-static-wasm32-wasi Operating systems & Components / Operating system package or component rust-std-static-wasm32-unknown-unknown Operating systems & Components / Operating system package or component rust-srpm-macros Operating systems & Components / Operating system package or component rust-src Operating systems & Components / Operating system package or component rust-lldb Operating systems & Components / Operating system package or component rust-gdb Operating systems & Components / Operating system package or component rust-debugger-common Operating systems & Components / Operating system package or component rust-std-static-x86_64-unknown-uefi Operating systems & Components / Operating system package or component rust-std-static-x86_64-unknown-none Operating systems & Components / Operating system package or component rustfmt Operating systems & Components / Operating system package or component rust-std-static Operating systems & Components / Operating system package or component rust-doc Operating systems & Components / Operating system package or component rust-analyzer Operating systems & Components / Operating system package or component rust Operating systems & Components / Operating system package or component clippy Operating systems & Components / Operating system package or component cargo Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU88366
Risk: High
CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2024-24576
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper validation of arguments passed to the std::process::Command when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. A remote attacker can trick the victim to run a specially crafted file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 23
rust-toolset: before 1.77.2-1
rust-std-static-wasm32-wasi: before 1.77.2-1
rust-std-static-wasm32-unknown-unknown: before 1.77.2-1
rust-srpm-macros: before 1.77.2-1
rust-src: before 1.77.2-1
rust-lldb: before 1.77.2-1
rust-gdb: before 1.77.2-1
rust-debugger-common: before 1.77.2-1
rust-std-static-x86_64-unknown-uefi: before 1.77.2-1
rust-std-static-x86_64-unknown-none: before 1.77.2-1
rustfmt: before 1.77.2-1
rust-std-static: before 1.77.2-1
rust-doc: before 1.77.2-1
rust-analyzer: before 1.77.2-1
rust: before 1.77.2-1
clippy: before 1.77.2-1
cargo: before 1.77.2-1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:23:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:rust-toolset:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-std-static-wasm32-wasi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-std-static-wasm32-unknown-unknown:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-srpm-macros:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-src:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-lldb:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-gdb:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-debugger-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-std-static-x86_64-unknown-uefi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-std-static-x86_64-unknown-none:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rustfmt:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-std-static:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-doc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust-analyzer:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:rust:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:clippy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:cargo:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:1056
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
