62 matches found
Medium: rust
Issue Overview: Cargo downloads a Rust project's dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject...
Medium: rust
Issue Overview: Cargo downloads a Rust project's dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject...
AZL-28511 CVE-2023-40030 affecting package rust for versions less than 1.72.0-2
Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...
Oracle Access Manager Multiple Vulnerabilities (Apr 2023 CPU)
The version of Oracle Access Manager installed on the remote host is missing a security patch from the April 2023 CPU Advisory. It is, therefore, affected by multiple vulnerabilities: - Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware component: Third Party Jython. T...
Medium: rust
Issue Overview: Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To reco rd when an extraction is successful, Cargo writes "ok" to the...
Amazon Linux 2 : rust (ALAS-2023-1959)
The version of rust installed on the remote host is prior to 1.66.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-1959 advisory. Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code ...
SUSE CVE-2022-36113
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...
SUSE CVE-2022-36114
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
Attacking The Supply Chain: Developer
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment IDE, this proof considers the execution of malicious build scripts via injecting commands when th...
firejail
This repository is an open-source project for the Firejail tool, which is a Linux security tool that allows users to sandbox applications and restrict their access to system resources. The repository contains various files and directories related to the project, including configuration files,...
Cloudflare Public Bug Bounty: Extraction of Pages build scripts, config values, tokens, etc. via symlinks
A vulnerability was discovered in Pages build scripts that allowed malicious actors to extract build source/configuration and environment variables via symlinks due to broader permission set on certain folders within the filesystem structure. The issue was remediated by tightening permissions on...
DEBIAN-CVE-2022-36114
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
CVE-2022-36114
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
DEBIAN-CVE-2022-36113
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...
UBUNTU-CVE-2022-36114
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
Design/Logic Flaw
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
CVE-2022-36114
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
CVE-2022-36114
CVE-2022-36114 concerns Cargo, Rust’s package manager. The advisory states Cargo does not limit data extracted from compressed archives, enabling a zip-bomb attack when a malicious package is uploaded to an alternate registry. This could exhaust disk space on a machine downloading the package. Th...
CVE-2022-36114
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...
CVE-2022-36113
Cargo vulnerability (CVE-2022-36113): Cargo would extract packages into ~/.cargo and mark success with a .cargo-ok file. A malicious package could include a .cargo-ok symlink; when Cargo wrote ok, it would overwrite the first two bytes of the symlink target, enabling corruption of a single file o...