CVE-2022-36114

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

6.5MEDIUM

EPSS

0.5%

top 34.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rust-lang Cargo

Timeline

PublishedSep 14

Latest updateSep 16

Description

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The v…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5rust-lang/cargo< 0.65.0+1

▶NVDrust-lang/cargo< 0.65.0

▶Debianrust-cargo< 0.66.0-1+2

▶crates.iocargo0.66.0 — 0.67.0+1

▶Debiancargo< 0.63.1-1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Cargo extracting malicious crates can fill the file system↗2022-09-16

▶

OSV

Cargo extracting malicious crates can fill the file system↗2022-09-16

▶

OSV

CVE-2022-36114: Cargo is a package manager for the rust programming language↗2022-09-14

▶

CVEList

Extracting malicious crates can fill the file system↗2022-09-14

▶

📋Vendor Advisories

Microsoft

Extracting malicious crates can fill the file system↗2022-09-13

▶

Debian

CVE-2022-36114: cargo - Cargo is a package manager for the rust programming language. It was discovered ...↗2022

▶