#VU67717 UNIX symbolic link following in Cargo - CVE-2022-36113

Cybersecurity Help s.r.o.

Published: 2022-09-28

Vulnerability identifier: #VU67717

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-36113

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cargo

Vendor: The Rust Programming Language

Description

The vulnerability allows a remote attacker to corrupt arbitrary files on the system.

The vulnerability exists due to a symlink following issue. A remote attacker can add a malicious ".cargo-ok" symbolic link into the package, point the link to an arbitrary file on the system and corrupt it during package extraction.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cargo: 0.1.0 - 0.64.0

External links
https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a
https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for rust

openEuler 20.03 LTS SP4 update for rust

openEuler 22.03 LTS SP1 update for rust

Multiple vulnerabilities in Oracle Solaris

SUSE update for rust1.62

Multiple vulnerabilities in Cargo for Rust