Bug 2160363 (CVE-2022-46176) - CVE-2022-46176 rust-cargo: cargo lacking ssh host key checking
Summary: CVE-2022-46176 rust-cargo: cargo lacking ssh host key checking
Alias: CVE-2022-46176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2160364 2160365 2160366 2160367 2160368 2160369 2160370 2160372
Blocks: 2160219
TreeView+ depends on / blocked
Reported: 2023-01-12 07:23 UTC by Sandipan Roy
Modified: 2023-08-01 12:24 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-01-15 10:30:50 UTC

Attachments (Terms of Use)

Description Sandipan Roy 2023-01-12 07:23:20 UTC
Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.


Comment 1 Sandipan Roy 2023-01-12 07:27:20 UTC
Created rust tracking bugs for this issue:

Affects: epel-7 [bug 2160367]
Affects: fedora-36 [bug 2160368]
Affects: fedora-37 [bug 2160369]

Created rust-cargo tracking bugs for this issue:

Affects: fedora-all [bug 2160364]

Comment 5 Product Security DevOps Team 2023-01-15 10:30:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.