CVE-2022-46176
Published: 11 January 2023
Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.
Priority
Status
Package | Release | Status |
---|---|---|
cargo Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Released
(0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2)
|
|
jammy |
Released
(0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Released
(0.67.1+ds0ubuntu1-0ubuntu1)
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Needed
|
|
rust-cargo Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life)
|
|
lunar |
Released
(0.66.0-1)
|
|
mantic |
Not vulnerable
(0.66.0-1)
|
|
noble |
Not vulnerable
(0.66.0-1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |