CVE - CVE-2022-21658

CVE-ID
CVE-2022-21658	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://support.apple.com/kb/HT213182 CONFIRM:https://support.apple.com/kb/HT213183 CONFIRM:https://support.apple.com/kb/HT213186 CONFIRM:https://support.apple.com/kb/HT213193 CONFIRM:https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2 URL:https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2 FEDORA:FEDORA-2022-06569a0a60 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/ FEDORA:FEDORA-2022-1b76e3a192 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/ FEDORA:FEDORA-2022-1bafa3fc91 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/ FEDORA:FEDORA-2022-2c73789458 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/ GENTOO:GLSA-202210-09 URL:https://security.gentoo.org/glsa/202210-09 MISC:https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html URL:https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html MISC:https://github.com/rust-lang/rust/pull/93110 URL:https://github.com/rust-lang/rust/pull/93110 MISC:https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946 URL:https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946 MISC:https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf URL:https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf MISC:https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714 URL:https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20211116	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20211116)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)