CVE-2022-46176 Cargo did not verify SSH host keys

2023-01-1120:07:12

CWE-347

GitHub_M

www.cve.org

cargo

rust

ssh

vulnerability

cve-2022-46176

mitm

attack

security

upgrade

github

index

dependency

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don’t explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git’s [url.<base>.insteadOf][1] setting), as that’d cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server’s public key is not already trusted. We recommend everyone to upgrade as soon as possible.

CNA Affected

[
  {
    "vendor": "rust-lang",
    "product": "cargo",
    "versions": [
      {
        "version": "<= 0.67.0",
        "status": "affected"
      }
    ]
  }
]