UNIX symbolic link following in Cargo

#VU67717 UNIX symbolic link following in Cargo

Published: 2022-09-28

Vulnerability identifier: #VU67717

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36113

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cargo
/

Vendor: The Rust Programming Language

Description

The vulnerability allows a remote attacker to corrupt arbitrary files on the system.

The vulnerability exists due to a symlink following issue. A remote attacker can add a malicious ".cargo-ok" symbolic link into the package, point the link to an arbitrary file on the system and corrupt it during package extraction.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cargo: 0.1.0 - 0.64.0

External links
http://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
http://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Solaris

SUSE update for rust1.62

Multiple vulnerabilities in Cargo for Rust