Skip to main content

Rust CVE-2024-43402

HIGH
OS Command Injection (CWE-78)
2024-09-04 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 04, 2024 - 16:15 nvd
HIGH 8.8

DescriptionNVD

Rust is a programming language. The fix for CVE-2024-24576, where std::process::Command incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the cmd.exe escaping rules, the original fix for the vulnerability checked whether the command name ended with .bat or .cmd. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. Windows removes trailing whitespace and periods when parsing file paths. For example, .bat. . is interpreted by Windows as .bat, but the original fix didn't check for that. Affected users who are using Rust 1.77.2 or greater can remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) from the batch file name to bypass the incomplete fix and enable the mitigations. Users are affected if their code or one of their dependencies invoke a batch script on Windows with trailing whitespace or trailing periods in the name, and pass untrusted arguments to it. Rust 1.81.0 will update the standard library to apply the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing chars in the file name.

AnalysisAI

Rust is a programming language. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. Rust is a programming language. The fix for CVE-2024-24576, where std::process::Command incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the cmd.exe escaping rules, the original fix for the vulnerability checked whether the command name ended with .bat or .cmd. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. Windows removes trailing whitespace and periods when parsing file paths. For example, .bat. . is interpreted by Windows as .bat, but the original fix didn't check for that. Affected users who are using Rust 1.77.2 or greater can remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) from the batch file name to bypass the incomplete fix and enable the mitigations. Users are affected if their code or one of their dependencies invoke a batch script on Windows with trailing whitespace or trailing periods in the name, and pass untrusted arguments to it. Rust 1.81.0 will update the standard library to apply the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing chars in the file name. Affected products include: Rust-Lang Rust. Version information: version 1.81.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

More in Rust

View all
CVE-2024-3566 CRITICAL POC
9.8 Apr 10

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PH

CVE-2021-31162 CRITICAL POC
9.8 Apr 14

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the ele

CVE-2021-28879 CRITICAL POC
9.8 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer ove

CVE-2021-29922 CRITICAL POC
9.1 Aug 07

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginni

CVE-2019-12083 HIGH POC
8.1 May 13

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, c

CVE-2021-28878 HIGH POC
7.5 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once fo

CVE-2021-28875 HIGH POC
7.5 Apr 11

In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe c

CVE-2019-16760 HIGH POC
7.5 Sep 30

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration

CVE-2024-24576 CRITICAL
10.0 Apr 09

Rust is a programming language. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no auth

CVE-2018-1000810 CRITICAL
9.8 Oct 08

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contai

CVE-2021-28876 MEDIUM POC
5.3 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. Rated medium severity (C

CVE-2019-1010299 MEDIUM POC
5.3 Jul 15

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. Rated med

Share

CVE-2024-43402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy