#VU88366 OS Command Injection in Rust Programming Language - CVE-2024-24576
Published: April 10, 2024 / Updated: May 16, 2024
Vulnerability identifier: #VU88366
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2024-24576
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Rust Programming Language
Rust Programming Language
Software vendor:
Rust Team
Rust Team
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper validation of arguments passed to the std::process::Command when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. A remote attacker can trick the victim to run a specially crafted file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.