CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
38.5%
Cargo is a Rust package manager. The Rust Security Response WG was notified
that Cargo did not perform SSH host key verification when cloning indexes
and dependencies via SSH. An attacker could exploit this to perform
man-in-the-middle (MITM) attacks. This vulnerability has been assigned
CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are
vulnerable. Note that even if you don’t explicitly use SSH for alternate
registry indexes or crate dependencies, you might be affected by this
vulnerability if you have configured git to replace HTTPS connections to
GitHub with SSH (through git’s [url.<base>.insteadOf
][1] setting), as
that’d cause you to clone the crates.io index through SSH. Rust 1.66.1 will
ensure Cargo checks the SSH host key and abort the connection if the
server’s public key is not already trusted. We recommend everyone to
upgrade as soon as possible.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | cargo | < any | UNKNOWN |
ubuntu | 20.04 | noarch | cargo | < 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2 | UNKNOWN |
ubuntu | 22.04 | noarch | cargo | < 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2 | UNKNOWN |
ubuntu | 23.04 | noarch | cargo | < 0.67.1+ds0ubuntu1-0ubuntu1 | UNKNOWN |
ubuntu | 16.04 | noarch | cargo | < any | UNKNOWN |
ubuntu | 22.04 | noarch | rust-cargo | < any | UNKNOWN |
ubuntu | 23.04 | noarch | rust-cargo | < 0.66.0-1 | UNKNOWN |