AmazonALAS2-2022-1817Medium: rust
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
38.0%
Issue Overview:
A race condition flaw was found in Rust’s std::fs::remove_dir_all function. Rust applications that use this function may be vulnerable to a race condition where an unprivileged attacker can trick the application into deleting files and directories, causing an impact on system data integrity. If the application is privileged, an attacker can possibly delete files they would not usually have access to. (CVE-2022-21658)
Affected Packages:
rust
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update rust to update your system.
New Packages:
aarch64:
rust-1.61.0-2.amzn2.0.1.aarch64
rust-std-static-1.61.0-2.amzn2.0.1.aarch64
rust-doc-1.61.0-2.amzn2.0.1.aarch64
cargo-1.61.0-2.amzn2.0.1.aarch64
rustfmt-1.61.0-2.amzn2.0.1.aarch64
rls-1.61.0-2.amzn2.0.1.aarch64
clippy-1.61.0-2.amzn2.0.1.aarch64
rust-analysis-1.61.0-2.amzn2.0.1.aarch64
rust-debuginfo-1.61.0-2.amzn2.0.1.aarch64
noarch:
rust-debugger-common-1.61.0-2.amzn2.0.1.noarch
rust-gdb-1.61.0-2.amzn2.0.1.noarch
cargo-doc-1.61.0-2.amzn2.0.1.noarch
rust-src-1.61.0-2.amzn2.0.1.noarch
src:
rust-1.61.0-2.amzn2.0.1.src
x86_64:
rust-1.61.0-2.amzn2.0.1.x86_64
rust-std-static-1.61.0-2.amzn2.0.1.x86_64
rust-doc-1.61.0-2.amzn2.0.1.x86_64
cargo-1.61.0-2.amzn2.0.1.x86_64
rustfmt-1.61.0-2.amzn2.0.1.x86_64
rls-1.61.0-2.amzn2.0.1.x86_64
clippy-1.61.0-2.amzn2.0.1.x86_64
rust-analysis-1.61.0-2.amzn2.0.1.x86_64
rust-debuginfo-1.61.0-2.amzn2.0.1.x86_64
Additional References
Red Hat: CVE-2022-21658
Mitre: CVE-2022-21658
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 2 | aarch64 | rust | < 1.61.0-2.amzn2.0.1 | rust-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | rust-std-static | < 1.61.0-2.amzn2.0.1 | rust-std-static-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | rust-doc | < 1.61.0-2.amzn2.0.1 | rust-doc-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | cargo | < 1.61.0-2.amzn2.0.1 | cargo-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | rustfmt | < 1.61.0-2.amzn2.0.1 | rustfmt-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | rls | < 1.61.0-2.amzn2.0.1 | rls-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | clippy | < 1.61.0-2.amzn2.0.1 | clippy-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | rust-analysis | < 1.61.0-2.amzn2.0.1 | rust-analysis-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | aarch64 | rust-debuginfo | < 1.61.0-2.amzn2.0.1 | rust-debuginfo-1.61.0-2.amzn2.0.1.aarch64.rpm |
| Amazon Linux | 2 | noarch | rust-debugger-common | < 1.61.0-2.amzn2.0.1 | rust-debugger-common-1.61.0-2.amzn2.0.1.noarch.rpm |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
38.0%