cve-2022-46176
Vulnerability from cvelistv5
Published
2023-01-11 20:07
Modified
2024-08-03 14:24
Severity ?
EPSS score ?
Summary
Cargo did not verify SSH host keys
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j"
},
{
"name": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/05/6"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/06/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cargo",
"vendor": "rust-lang",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.67.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don\u0027t explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git\u0027s [`url.\u003cbase\u003e.insteadOf`][1] setting), as that\u0027d cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server\u0027s public key is not already trusted. We recommend everyone to upgrade as soon as possible. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-11T20:07:12.847Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j"
},
{
"name": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/05/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/06/5"
}
],
"source": {
"advisory": "GHSA-r5w3-xm58-jv6j",
"discovery": "UNKNOWN"
},
"title": "Cargo did not verify SSH host keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46176",
"datePublished": "2023-01-11T20:07:12.847Z",
"dateReserved": "2022-11-28T17:27:19.999Z",
"dateUpdated": "2024-08-03T14:24:03.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-46176\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-11T21:15:10.087\",\"lastModified\":\"2024-11-21T07:30:15.910\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don\u0027t explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git\u0027s [`url.\u003cbase\u003e.insteadOf`][1] setting), as that\u0027d cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server\u0027s public key is not already trusted. We recommend everyone to upgrade as soon as possible. \"},{\"lang\":\"es\",\"value\":\"Cargo es un administrador de paquetes de Rust. Se notific\u00f3 al Grupo de Trabajo de Respuesta de Seguridad de Rust que Cargo no realiz\u00f3 la verificaci\u00f3n de la clave de host SSH al clonar \u00edndices y dependencias a trav\u00e9s de SSH. Un atacante podr\u00eda aprovechar esto para realizar ataques de intermediario (MITM). A esta vulnerabilidad se le ha asignado CVE-2022-46176. Todas las versiones de Rust que contienen Cargo anteriores a la 1.66.1 son vulnerables. Tenga en cuenta que incluso si no usa SSH expl\u00edcitamente para \u00edndices de registro alternativos o dependencias de cajas, podr\u00eda verse afectado por esta vulnerabilidad si ha configurado git para reemplazar las conexiones HTTPS a GitHub con SSH (a trav\u00e9s de [`url..insteadOf`] de git). [1]), ya que eso har\u00eda que clonaras el \u00edndice de crates.io a trav\u00e9s de SSH. Rust 1.66.1 garantizar\u00e1 que Cargo verifique la clave del host SSH y cancelar\u00e1 la conexi\u00f3n si la clave p\u00fablica del servidor a\u00fan no es confiable. Recomendamos a todos que actualicen lo antes posible.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*\",\"versionEndIncluding\":\"0.67.0\",\"matchCriteriaId\":\"4C77F904-4E61-4DCA-BE20-B00B808B988D\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/05/6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/06/5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/05/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/11/06/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.