Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2023-00687

Опубликовано: 10 янв. 2023
Источник: fstec
CVSS3: 5.3
CVSS2: 5.4
EPSS Низкий

Описание

Уязвимость менеджера пакетов Cargo языка программирования Rust связана с некорректной проверкой криптографической подписи. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, оказать воздействие на целостность защищаемой информации через SSH-протокол

Вендор

ООО «Ред Софт»
Novell Inc.
The Rust Foundation
АО "НППКТ"

Наименование ПО

РЕД ОС
OpenSUSE Leap
Suse Linux Enterprise Server
SUSE Linux Enterprise Server for SAP Applications
Rust
ОСОН ОСнова Оnyx

Версия ПО

7.3 (РЕД ОС)
15.4 (OpenSUSE Leap)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
до 0.67.0 включительно (Rust)
до 2.9 (ОСОН ОСнова Оnyx)

Тип ПО

Операционная система
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

ООО «Ред Софт» РЕД ОС 7.3
Novell Inc. OpenSUSE Leap 15.4
Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
АО "НППКТ" ОСОН ОСнова Оnyx до 2.9

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5,4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 5,3)

Возможные меры по устранению уязвимости

Для Rust:
https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-46176.html
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения cargo до версии 0.66.0+ds1-1osnova1
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 33%
0.00126
Низкий

5.3 Medium

CVSS3

5.4 Medium

CVSS2

Связанные уязвимости

redos логотип

ROS-20240402-20

CVSS3: 5.3
redos
около 1 года назад

Уязвимость cargo

ubuntu логотип

CVE-2022-46176

CVSS3: 5.3
ubuntu
больше 2 лет назад

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.

redhat логотип

CVE-2022-46176

CVSS3: 5.3
redhat
больше 2 лет назад

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.

nvd логотип

CVE-2022-46176

CVSS3: 5.3
nvd
больше 2 лет назад

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.

msrc логотип

CVE-2022-46176

CVSS3: 5.9
msrc
больше 2 лет назад

Описание отсутствует

EPSS

Процентиль: 33%
0.00126
Низкий

5.3 Medium

CVSS3

5.4 Medium

CVSS2