CVE-2023-40030

CWE-79 — Cross-site Scripting (XSS)7 documents6 sources

Severity

6.1MEDIUM

EPSS

0.1%

top 71.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rust-lang Rust Rust-lang Cargo

Timeline

PublishedAug 24

Description

Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Debianrust-cargo< 0.76.0-1+1

▶CVEListV5rust-lang/cargo>= 1.60.0, < 1.72

▶crates.iocargo1.60.0 — 1.72

▶NVDrust-lang/rust1.60.0 — 1.72.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-40030: Cargo downloads a Rust project’s dependencies and compiles the project↗2023-08-24

▶

CVEList

Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports↗2023-08-24

▶

GHSA

Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports↗2023-08-24

▶

OSV

Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports↗2023-08-24

▶

📋Vendor Advisories

Microsoft

Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports↗2023-08-08

▶

Debian

CVE-2023-40030: cargo - Cargo downloads a Rust project’s dependencies and compiles the project. Starting...↗2023

▶