Bug 2265585 (CVE-2024-24576)
| Summary: | CVE-2024-24576 rust: Fail to Escape Arguments Properly in Microsoft Windows | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A command injection flaw was found in Rust, exclusive to Windows environments. When invoking batch files on Windows using the Command API, Rust explicitly uses cmd.exe which has complicated parsing rules for arguments. If an attacker can control part of the command arguments of the batch file, this could bypass the argument escaping and inject arbitrary shell commands.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2274248 | ||
| Bug Blocks: | 2265582 | ||
|
Description
Zack Miele
2024-02-22 21:50:12 UTC
Created rust tracking bugs for this issue: Affects: fedora-all [bug 2274248] |