Vulnerability Details : CVE-2022-21658
Potential exploit
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
Products affected by CVE-2022-21658
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21658
0.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21658
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:L/AC:M/Au:N/C:N/I:P/A:P |
3.4
|
4.9
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H |
1.0
|
5.2
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H |
2.0
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2022-21658
-
The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.Assigned by: security-advisories@github.com (Primary)
-
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2022-21658
-
https://support.apple.com/kb/HT213186
About the security content of tvOS 15.4 - Apple SupportThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/
[SECURITY] Fedora 35 Update: rust-1.58.1-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/
[SECURITY] Fedora 34 Update: rust-afterburn-5.2.0-4.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://support.apple.com/kb/HT213183
About the security content of macOS Monterey 12.3 - Apple SupportThird Party Advisory
-
https://security.gentoo.org/glsa/202210-09
Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo securityThird Party Advisory
-
https://support.apple.com/kb/HT213193
About the security content of watchOS 8.5 - Apple SupportThird Party Advisory
-
https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHubPatch;Third Party Advisory
-
https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHubPatch;Third Party Advisory
-
https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2
Race condition in std::fs::remove_dir_all · Advisory · rust-lang/rust · GitHubExploit;Mitigation;Third Party Advisory
-
https://github.com/rust-lang/rust/pull/93110
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHubPatch;Third Party Advisory
-
https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946
[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHubPatch;Third Party Advisory
-
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html
Security advisory for the standard library (CVE-2022-21658) | Rust BlogExploit;Mitigation;Vendor Advisory
-
https://support.apple.com/kb/HT213182
About the security content of iOS 15.4 and iPadOS 15.4 - Apple SupportThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/
[SECURITY] Fedora 35 Update: rust-afterburn-5.2.0-4.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/
[SECURITY] Fedora 34 Update: rust-1.58.1-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to