The Rust programming language’s maintainers have released a security update for a high-severity vulnerability that might be used by a malicious party to remove files and directories from a susceptible system unlawfully.
Rust is a multi-paradigm, general-purpose programming language that emphasizes performance and safety, particularly in the areas of concurrency and memory management. It is syntactically identical to C++, but it can ensure memory safety by validating references with a borrow checker. It is an open-source project which started as a research project at Mozilla.
In a January 20, 2021 advisory, the Rust Security Response Working Group (WG) stated that an attacker might leverage this security flaw to deceive a privileged program into destroying files and directories that the attacker could not normally access or remove.
This vulnerability affects Rust versions 1.0.0 to 1.58.0. Security researcher Hans Kratz is to blame for the vulnerability, which has been assigned the number CVE-2022-21658 (CVSS score: 7.3), with the team releasing a fix in Rust version 1.58.1 last week.
The problem originates from an incorrectly implemented check to prevent symbolic link deletion (symlinks). Last week, a fix was released, and the first version of Rust 1.58.1 was released.