CVE-2022-21658

CVSS V2 Low 3.3 CVSS V3 Medium 6.3
Description
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
Overview
  • CVE ID
  • CVE-2022-21658
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-01-20T18:15:07
  • Last Modified Date
  • 2022-10-19T13:22:56
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:* 1 OR 1.0.0 1.58.0
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* 1 OR 15.4
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* 1 OR 15.4
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* 1 OR 12.0.0 12.3
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* 1 OR 15.4
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* 1 OR 8.5
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:L/AC:M/Au:N/C:N/I:P/A:P
  • Access Vector
  • LOCAL
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 3.3
  • Severity
  • LOW
  • Exploitability Score
  • 3.4
  • Impact Score
  • 4.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
  • Attack Vector
  • LOCAL
  • Attack Compatibility
  • HIGH
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • HIGH
  • Base Score
  • 6.3
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 1
  • Impact Score
  • 5.2
References
Reference URL Reference Tags
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html Exploit Mitigation Vendor Advisory
https://github.com/rust-lang/rust/pull/93110 Patch Third Party Advisory
https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946 Patch Third Party Advisory
https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf Patch Third Party Advisory
https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714 Patch Third Party Advisory
https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2 Exploit Mitigation Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/ Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202210-09 Third Party Advisory
https://support.apple.com/kb/HT213182 Third Party Advisory
https://support.apple.com/kb/HT213183 Third Party Advisory
https://support.apple.com/kb/HT213186 Third Party Advisory
https://support.apple.com/kb/HT213193 Third Party Advisory
History
Created Old Value New Value Data Type Notes
2022-04-04 00:42:13 Added to TrackCVE
2022-12-06 07:19:03 2022-01-20T18:15Z 2022-01-20T18:15:07 CVE Published Date updated
2022-12-06 07:19:03 2022-10-19T13:22:56 CVE Modified Date updated
2022-12-06 07:19:03 Analyzed Vulnerability Status updated
2022-12-06 07:19:09 References updated