8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.003 Low
EPSS
Percentile
67.7%
Cargo is a package manager for the rust programming language. After a
package is downloaded, Cargo extracts its source code in the ~/.cargo
folder on disk, making it available to the Rust projects it builds. To
record when an extraction is successful, Cargo writes “ok” to the .cargo-ok
file at the root of the extracted source code once it extracted all the
files. It was discovered that Cargo allowed packages to contain a .cargo-ok
symbolic link, which Cargo would extract. Then, when Cargo attempted to
write “ok” into .cargo-ok, it would actually replace the first two bytes of
the file the symlink pointed to with ok. This would allow an attacker to
corrupt one file on the machine using Cargo to extract the package. Note
that by design Cargo allows code execution at build time, due to build
scripts and procedural macros. The vulnerabilities in this advisory allow
performing a subset of the possible damage in a harder to track down way.
Your dependencies must still be trusted if you want to be protected from
attacks, as it’s possible to perform the same attacks with build scripts
and procedural macros. The vulnerability is present in all versions of
Cargo. Rust 1.64, to be released on September 22nd, will include a fix for
it. Since the vulnerability is just a more limited way to accomplish what a
malicious build scripts or procedural macros can do, we decided not to
publish Rust point releases backporting the security fix. Patch files are
available for Rust 1.63.0 are available in the wg-security-response
repository for people building their own toolchain. Mitigations We
recommend users of alternate registries to exercise care in which package
they download, by only including trusted dependencies in their projects.
Please note that even with these vulnerabilities fixed, by design Cargo
allows arbitrary code execution at build time thanks to build scripts and
procedural macros: a malicious dependency will be able to cause damage
regardless of these vulnerabilities. crates.io implemented server-side
checks to reject these kinds of packages years ago, and there are no
packages on crates.io exploiting these vulnerabilities. crates.io users
still need to exercise care in choosing their dependencies though, as
remote code execution is allowed by design there as well.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | cargo | < any | UNKNOWN |
ubuntu | 20.04 | noarch | cargo | < 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2 | UNKNOWN |
ubuntu | 22.04 | noarch | cargo | < 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2 | UNKNOWN |
ubuntu | 23.04 | noarch | cargo | < 0.67.1+ds0ubuntu1-0ubuntu1 | UNKNOWN |
ubuntu | 16.04 | noarch | cargo | < any | UNKNOWN |
github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j
launchpad.net/bugs/cve/CVE-2022-36113
nvd.nist.gov/vuln/detail/CVE-2022-36113
security-tracker.debian.org/tracker/CVE-2022-36113
www.cve.org/CVERecord?id=CVE-2022-36113
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.003 Low
EPSS
Percentile
67.7%