CVE-2022-36113

CWE-22Path TraversalCWE-597 documents6 sources
Severity
8.1HIGH
EPSS
8.9%
top 7.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rust-lang Cargo
Timeline
PublishedSep 14
Latest updateSep 16

Description

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attemp

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages5 packages

CVEListV5rust-lang/cargo< 0.65.0+1
NVDrust-lang/cargo< 0.65.0
Debianrust-cargo< 0.66.0-1+2
crates.iocargo0.66.00.67.0+1
Debiancargo< 0.63.1-1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Cargo extracting malicious crates can corrupt arbitrary files2022-09-16
GHSA
Cargo extracting malicious crates can corrupt arbitrary files2022-09-16
CVEList
Extracting malicious crates can corrupt arbitrary files2022-09-14
OSV
CVE-2022-36113: Cargo is a package manager for the rust programming language2022-09-14

📋Vendor Advisories

2
Microsoft
Extracting malicious crates can corrupt arbitrary files2022-09-13
Debian
CVE-2022-36113: cargo - Cargo is a package manager for the rust programming language. After a package is...2022
CVE-2022-36113 (HIGH CVSS 8.1) | Cargo is a package manager for the | cvebase.io