Uncontrolled Search Path Element Vulnerability in Rust Programming Language rustdoc
CVE-2018-1000622

7.8HIGH

Key Information:

Vendor

Rust-lang
Status
Rust
Vendor
CVE Published:
9 July 2018

What is CVE-2018-1000622?

The rustdoc tool from the Rust Programming Language, specifically versions from 0.8 to 1.27.0, is impacted by a vulnerability that allows local code execution as a different user due to an uncontrolled search path element. When using the --plugin flag without specifying the --plugin-path flag, attackers can exploit this vulnerability, leading to potentially unauthorized code execution. The issue has been addressed in version 1.27.1, so users are advised to upgrade to ensure their systems are secure.

References

https://security.gentoo.org/glsa/201812-11
vendor-advisoryx_refsource_GENTOO
https://groups.google.com/forum/#%21topic/rustlang-securi...
x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.