CVE-2022-46176

CWE-3478 documents7 sources
Severity
5.9MEDIUM
EPSS
0.1%
top 64.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rust-lang Cargo
Timeline
PublishedJan 11

Description

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages5 packages

Debianrust-cargo< 0.66.0-1+2
CVEListV5rust-lang/cargo0.67.0
NVDrust-lang/cargo0.67.0
crates.iocargo< 0.67.1
Debiancargo< 0.66.0+ds1-1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Cargo did not verify SSH host keys2023-01-11
OSV
CVE-2022-46176: Cargo is a Rust package manager2023-01-11
OSV
Cargo did not verify SSH host keys2023-01-10
GHSA
Cargo did not verify SSH host keys2023-01-10

📋Vendor Advisories

3
Red Hat
rust-cargo: cargo lacking ssh host key checking2023-01-10
Microsoft
Cargo did not verify SSH host keys2023-01-10
Debian
CVE-2022-46176: cargo - Cargo is a Rust package manager. The Rust Security Response WG was notified that...2022
CVE-2022-46176 (MEDIUM CVSS 5.9) | Cargo is a Rust package manager | cvebase.io