Vulnerability Details CVE-2018-1000622
The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 70.6%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 6.8
References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00076.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00031.html
- https://groups.google.com/forum/#%21topic/rustlang-security-announcements/4ybxYLTtXuM
- https://security.gentoo.org/glsa/201812-11
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00076.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00031.html
- https://groups.google.com/forum/#%21topic/rustlang-security-announcements/4ybxYLTtXuM
- https://security.gentoo.org/glsa/201812-11
Products affected by CVE-2018-1000622
-
cpe:2.3:a:rust-lang:rust:0.10
-
cpe:2.3:a:rust-lang:rust:0.11.0
-
cpe:2.3:a:rust-lang:rust:0.12.0
-
cpe:2.3:a:rust-lang:rust:0.8
-
cpe:2.3:a:rust-lang:rust:0.9
-
cpe:2.3:a:rust-lang:rust:1.0.0
-
cpe:2.3:a:rust-lang:rust:1.1.0
-
cpe:2.3:a:rust-lang:rust:1.10.0
-
cpe:2.3:a:rust-lang:rust:1.11.0
-
cpe:2.3:a:rust-lang:rust:1.12.0
-
cpe:2.3:a:rust-lang:rust:1.12.1
-
cpe:2.3:a:rust-lang:rust:1.13.0
-
cpe:2.3:a:rust-lang:rust:1.14.0
-
cpe:2.3:a:rust-lang:rust:1.15.0
-
cpe:2.3:a:rust-lang:rust:1.15.1
-
cpe:2.3:a:rust-lang:rust:1.16.0
-
cpe:2.3:a:rust-lang:rust:1.17.0
-
cpe:2.3:a:rust-lang:rust:1.18.0
-
cpe:2.3:a:rust-lang:rust:1.19.0
-
cpe:2.3:a:rust-lang:rust:1.2.0
-
cpe:2.3:a:rust-lang:rust:1.20.0
-
cpe:2.3:a:rust-lang:rust:1.21.0
-
cpe:2.3:a:rust-lang:rust:1.22.0
-
cpe:2.3:a:rust-lang:rust:1.22.1
-
cpe:2.3:a:rust-lang:rust:1.23.0
-
cpe:2.3:a:rust-lang:rust:1.24.0
-
cpe:2.3:a:rust-lang:rust:1.24.1
-
cpe:2.3:a:rust-lang:rust:1.25.0
-
cpe:2.3:a:rust-lang:rust:1.26.0
-
cpe:2.3:a:rust-lang:rust:1.26.1
-
cpe:2.3:a:rust-lang:rust:1.26.2
-
cpe:2.3:a:rust-lang:rust:1.27.0
-
cpe:2.3:a:rust-lang:rust:1.3.0
-
cpe:2.3:a:rust-lang:rust:1.4.0
-
cpe:2.3:a:rust-lang:rust:1.5.0
-
cpe:2.3:a:rust-lang:rust:1.6.0
-
cpe:2.3:a:rust-lang:rust:1.7.0
-
cpe:2.3:a:rust-lang:rust:1.8.0
-
cpe:2.3:a:rust-lang:rust:1.9.0