Security News > 2022 > January > High-Severity Rust Programming Bug Could Lead to File, Directory Deletion
The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner.
"An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete," the Rust Security Response working group said in an advisory published on January 20, 2021.
Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability.
The flaw, which is tracked as CVE-2022-21658, has been credited to security researcher Hans Kratz, with the team pushing out a fix in Rust version 1.58.1 shipped last week.
Specifically, the issue stems from an improperly implemented check to prevent recursive deletion of symbolic links in a standard library function named "Std::fs::remove dir all." This results in a race condition, which, in turn, could be reliably exploited by an adversary by abusing their access to a privileged program to delete sensitive directories.
Rust, while not a widely-used programming language, has witnessed a surge in adoption in recent years for its memory-related safety guarantees.
News URL
https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-20 | CVE-2022-21658 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. | 6.3 |