CVE-2024-43402

CWE-78 — OS Command Injection CWE-885 documents5 sources

Severity

8.8HIGH

EPSS

0.5%

top 33.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rust-lang Rust

Timeline

PublishedSep 4

Latest updateNov 22

Description

Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cm…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 1.4 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5rust-lang/rust< 1.81.0

▶NVDrust-lang/rust< 1.81.0

Patches

Patch: learn.microsoft.com ↗

🔴Vulnerability Details

CVEList

Rust OS Command Injection/Argument Injection vulnerability↗2024-09-04

▶

📋Vendor Advisories

Red Hat

rust: Rust standard library did not properly escape arguments when invoking batch files on Windows using the Command API↗2024-09-04

▶

Debian

CVE-2024-43402: rustc - Rust is a programming language. The fix for CVE-2024-24576, where `std::process:...↗2024

▶

💬Community

HackerOne

`std::process::Command` batch files argument escaping could be bypassed with trailing whitespace or periods↗2024-11-22

▶