Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XRust Lang Cargo
APPRust-Lang1.68.0 – 1.96.0 (bez)
Related vulnerabilities
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundl...
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a...
Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH hos...
Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts it...
Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the a...