10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.1%
Rust is a programming language. The Rust Security Response WG was notified
that the Rust standard library prior to version 1.77.2 did not properly
escape arguments when invoking batch files (with the bat
and cmd
extensions) on Windows using the Command
. An attacker able to control the
arguments passed to the spawned process could execute arbitrary shell
commands by bypassing the escaping. The severity of this vulnerability is
critical for those who invoke batch files on Windows with untrusted
arguments. No other platform or use is affected. The Command::arg
and
Command::args
APIs state in their documentation that the arguments will
be passed to the spawned process as-is, regardless of the content of the
arguments, and will not be evaluated by a shell. This means it should be
safe to pass untrusted input as an argument. On Windows, the implementation
of this is more complex than other platforms, because the Windows API only
provides a single string containing all the arguments to the spawned
process, and it’s up to the spawned process to split them. Most programs
use the standard C run-time argv, which in practice results in a mostly
consistent way arguments are splitted. One exception though is cmd.exe
(used among other things to execute batch files), which has its own
argument splitting logic. That forces the standard library to implement
custom escaping for arguments passed to batch files. Unfortunately it was
reported that our escaping logic was not thorough enough, and it was
possible to pass malicious arguments that would result in arbitrary shell
execution. Due to the complexity of cmd.exe
, we didn’t identify a
solution that would correctly escape arguments in all cases. To maintain
our API guarantees, we improved the robustness of the escaping code, and
changed the Command
API to return an InvalidInput
error when it cannot
safely escape an argument. This error will be emitted when spawning the
process. The fix is included in Rust 1.77.2. Note that the new escaping
logic for batch files errs on the conservative side, and could reject valid
arguments. Those who implement the escaping themselves or only handle
trusted inputs on Windows can also use the CommandExt::raw_arg
method to
bypass the standard library’s escaping logic.
Author | Note |
---|---|
sbeattie | cargo in mantic was merged into rustc |
alexmurray | Only affects rustc on Windows so rustc etc on Ubuntu is not affected. |
doc.rust-lang.org/std/io/enum.ErrorKind.html#variant.InvalidInput
doc.rust-lang.org/std/os/windows/process/trait.CommandExt.html#tymethod.raw_arg
doc.rust-lang.org/std/process/struct.Command.html
doc.rust-lang.org/std/process/struct.Command.html#method.arg
doc.rust-lang.org/std/process/struct.Command.html#method.args
github.com/rust-lang/rust/issues
github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh
launchpad.net/bugs/cve/CVE-2024-24576
nvd.nist.gov/vuln/detail/CVE-2024-24576
security-tracker.debian.org/tracker/CVE-2024-24576
www.cve.org/CVERecord?id=CVE-2024-24576
www.rust-lang.org/policies/security
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.1%