Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2265585 (CVE-2024-24576) - CVE-2024-24576 rust: Fail to Escape Arguments Properly in Microsoft Windows
Summary: CVE-2024-24576 rust: Fail to Escape Arguments Properly in Microsoft Windows
Keywords:
Status: NEW
Alias: CVE-2024-24576
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2274248
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-02-22 21:50 UTC by Zack Miele
Modified: 2024-04-09 21:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A command injection flaw was found in Rust, exclusive to Windows environments. When invoking batch files on Windows using the Command API, Rust explicitly uses cmd.exe which has complicated parsing rules for arguments. If an attacker can control part of the command arguments of the batch file, this could bypass the argument escaping and inject arbitrary shell commands.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Zack Miele 2024-02-22 21:50:12 UTC
There are special meta characters that can be dangerous when they are expanded on the Microsoft Windows shell via the CmdCmdLine variable.

Comment 3 Zack Miele 2024-04-09 21:00:43 UTC
Created rust tracking bugs for this issue:

Affects: fedora-all [bug 2274248]


Note You need to log in before you can comment on or make changes to this bug.