Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
Published 2022-01-20 18:15:08
Updated 2022-10-19 13:22:56
Source GitHub, Inc.
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-21658

0.09%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-21658

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
3.3
LOW AV:L/AC:M/Au:N/C:N/I:P/A:P
3.4
4.9
NIST
6.3
MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
1.0
5.2
NIST
7.3
HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
2.0
4.7
GitHub, Inc.

CWE ids for CVE-2022-21658

  • The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.
    Assigned by: security-advisories@github.com (Primary)
  • The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
    Assigned by:
    • nvd@nist.gov (Secondary)
    • security-advisories@github.com (Primary)

References for CVE-2022-21658

Products affected by CVE-2022-21658

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!