You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.
Description
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to nvd@nist.gov.
CVE Modified by GitHub, Inc.11/06/2023 10:43:39 PM
Action
Type
Old Value
New Value
Added
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/ [No types assigned]
Added
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/ [No types assigned]
Added
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/ [No types assigned]
Added
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/ [No types assigned]
Removed
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/
Removed
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/
Removed
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/
Removed
Reference
GitHub, Inc. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/
Modified Analysis by NIST10/19/2022 9:22:56 AM
Action
Type
Old Value
New Value
Added
CPE Configuration
OR
*cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* versions up to (excluding) 15.4
*cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* versions up to (excluding) 15.4
*cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* versions from (including) 12.0.0 up to (excluding) 12.3
*cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* versions up to (excluding) 15.4
*cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* versions up to (excluding) 8.5
Changed
Reference Type
https://security.gentoo.org/glsa/202210-09 No Types Assigned
https://security.gentoo.org/glsa/202210-09 Third Party Advisory
Changed
Reference Type
https://support.apple.com/kb/HT213182 No Types Assigned
https://support.apple.com/kb/HT213182 Third Party Advisory
Changed
Reference Type
https://support.apple.com/kb/HT213183 No Types Assigned
https://support.apple.com/kb/HT213183 Third Party Advisory
Changed
Reference Type
https://support.apple.com/kb/HT213186 No Types Assigned
https://support.apple.com/kb/HT213186 Third Party Advisory
Changed
Reference Type
https://support.apple.com/kb/HT213193 No Types Assigned
https://support.apple.com/kb/HT213193 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/ No Types Assigned
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/ Mailing List, Third Party Advisory
Changed
Reference Type
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/ No Types Assigned
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/ Mailing List, Third Party Advisory
https://github.com/rust-lang/rust/pull/93110 No Types Assigned
https://github.com/rust-lang/rust/pull/93110 Patch, Third Party Advisory
Changed
Reference Type
https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946 No Types Assigned
https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946 Patch, Third Party Advisory
Changed
Reference Type
https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf No Types Assigned
https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf Patch, Third Party Advisory
Changed
Reference Type
https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714 No Types Assigned
https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714 Patch, Third Party Advisory
Changed
Reference Type
https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2 No Types Assigned
https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2 Exploit, Mitigation, Third Party Advisory
Changed
Reference Type
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/ No Types Assigned
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/ Mailing List, Third Party Advisory
Changed
Reference Type
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/ No Types Assigned
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/ Mailing List, Third Party Advisory
) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
