CVE-2019-16760

CWE-16CWE-4949 documents8 sources
Severity
7.5HIGH
EPSS
0.2%
top 60.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rust CargoRust-lang Rust
Timeline
PublishedSep 30
Latest updateMay 24

Description

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages4 packages

CVEListV5rust/cargo1.0.01.26.0
NVDrust-lang/rust< 1.26.0
crates.iocargo< 0.27.0
Debiancargo< 0.27.0-1+1

Patches

Patch: gist.github.comPatch: gist.github.com

🔴Vulnerability Details

4
GHSA
Cargo prior to Rust 1.26.0 may download the wrong dependency2022-05-24
OSV
Cargo prior to Rust 1.26.0 may download the wrong dependency2022-05-24
CVEList
Cargo prior to Rust 1.26.0 may download the wrong dependency2019-09-30
OSV
CVE-2019-16760: Cargo prior to Rust 12019-09-30

📋Vendor Advisories

3
Red Hat
rust: privilege escaltion in cargo2019-09-30
Microsoft
Cargo prior to Rust 1.26.0 may download the wrong dependency2019-09-10
Debian
CVE-2019-16760: cargo - Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.tom...2019

💬Community

1
Bugzilla
CVE-2019-16760 rust: privilege escaltion in cargo2019-10-09
CVE-2019-16760 (HIGH CVSS 7.5) | Cargo prior to Rust 1.26.0 may down | cvebase.io