CVE-2023-41317

Summary. CVE-2023-41317 affects Apollo Router (Rust) v1.28.0, v1.28.1, and v1.29.0, where an anonymous GraphQL subscription can trigger a DoS panic if the supergraph defines a subscription type and subscriptions are enabled in config. The vulnerability requires all four conditions to be met: impa...

CVE-2023-41317 Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are...

Important: rust

Issue Overview: Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files...

Exploit for Insufficient Verification of Data Authenticity in Rarlab Winrar

CVE-2023-38831 Builder Quick exploit builder for CVE-2023-388...

Oracle Linux 9 : rust (ELSA-2023-4634)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-4634 advisory. 1.66.1-2 - rust-cargo: cargo does not respect the umask when extracting dependencies CVE-2023-38497 Tenable has extracted the preceding description block direct...

CVE-2023-40030

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

Cross site scripting

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

CVE-2023-40030

Summary (CVE-2023-40030): Cargo could include unescaped Cargo feature names in the timings report, enabling potential cross-site scripting if the report is uploaded to a site that uses credentials. This affects builds using dependencies from git/local paths/alternative registries; crates.io-only ...

CVE-2023-40030 Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

CVE-2023-40030 Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

CVE-2023-40030 Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

CVE-2023-40030

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

GHSA-WRRJ-H57R-VX9P Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports

The Rust Security Response WG was notified that Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to XSS if the report is subsequent...

Rust 跨站脚本漏洞

Rust is a general-purpose, compiled programming language from the Mozilla Foundation. A cross-site scripting vulnerability exists in Rust versions prior to 1.60.0 through 1.72, which stems from a cross-site scripting XSS vulnerability due to not properly escaping the Cargo feature name...

Rocky Linux 9 : rust (RLSA-2023:4634)

The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2023:4634 advisory. - Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not...

[SECURITY] Fedora 37 Update: rust-1.71.1-1.fc37

Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. This package includes the Rust compiler and documentation generator...

Fedora 37 : rust (2023-4824704a61)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-4824704a61 advisory. Security fix for CVE-2023-38497 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...

Fedora: Security Advisory for rust (FEDORA-2023-4824704a61)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

AlmaLinux 8 : rust-toolset:rhel8 (ALSA-2023:4635)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:4635 advisory. rust-cargo: cargo does not respect the umask when extracting dependencies CVE-2023-38497 Tenable has extracted the preceding description block directly from the...

AlmaLinux 9 : rust (ALSA-2023:4634)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:4634 advisory. - Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respe...