{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46176", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-11-28T17:27:19.999Z", "datePublished": "2023-01-11T20:07:12.847Z", "dateUpdated": "2025-03-10T21:30:29.733Z"}, "containers": {"cna": {"title": "Cargo did not verify SSH host keys", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j"}, {"name": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176", "tags": ["x_refsource_MISC"], "url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/05/6"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/06/5"}], "affected": [{"vendor": "rust-lang", "product": "cargo", "versions": [{"version": "<= 0.67.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-07T00:06:30.987Z"}, "descriptions": [{"lang": "en", "value": "Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible."}], "source": {"advisory": "GHSA-r5w3-xm58-jv6j", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.428Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j"}, {"name": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/05/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/06/5", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T21:00:13.565262Z", "id": "CVE-2022-46176", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:30:29.733Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j", "name": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176", "name": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/05/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/06/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.428Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-46176", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T21:00:13.565262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:00:14.996Z"}}], "cna": {"title": "Cargo did not verify SSH host keys", "source": {"advisory": "GHSA-r5w3-xm58-jv6j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "rust-lang", "product": "cargo", "versions": [{"status": "affected", "version": "<= 0.67.0"}]}], "references": [{"url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j", "name": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176", "name": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/05/6"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/06/5"}], "descriptions": [{"lang": "en", "value": "Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-07T00:06:30.987Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46176", "state": "PUBLISHED", "dateUpdated": "2025-03-10T21:30:29.733Z", "dateReserved": "2022-11-28T17:27:19.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-01-11T20:07:12.847Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*", "matchCriteriaId": "4C77F904-4E61-4DCA-BE20-B00B808B988D", "versionEndIncluding": "0.67.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. "}, {"lang": "es", "value": "Cargo es un administrador de paquetes de Rust. Se notific\u00f3 al Grupo de Trabajo de Respuesta de Seguridad de Rust que Cargo no realiz\u00f3 la verificaci\u00f3n de la clave de host SSH al clonar \u00edndices y dependencias a trav\u00e9s de SSH. Un atacante podr\u00eda aprovechar esto para realizar ataques de intermediario (MITM). A esta vulnerabilidad se le ha asignado CVE-2022-46176. Todas las versiones de Rust que contienen Cargo anteriores a la 1.66.1 son vulnerables. Tenga en cuenta que incluso si no usa SSH expl\u00edcitamente para \u00edndices de registro alternativos o dependencias de cajas, podr\u00eda verse afectado por esta vulnerabilidad si ha configurado git para reemplazar las conexiones HTTPS a GitHub con SSH (a trav\u00e9s de [`url..insteadOf`] de git). [1]), ya que eso har\u00eda que clonaras el \u00edndice de crates.io a trav\u00e9s de SSH. Rust 1.66.1 garantizar\u00e1 que Cargo verifique la clave del host SSH y cancelar\u00e1 la conexi\u00f3n si la clave p\u00fablica del servidor a\u00fan no es confiable. Recomendamos a todos que actualicen lo antes posible."}], "id": "CVE-2022-46176", "lastModified": "2024-11-21T07:30:15.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-11T21:15:10.087", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2023/11/05/6"}, {"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/5"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/11/05/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/11/06/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "rust-cargo: cargo lacking ssh host key checking", "id": "2160363", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160363"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-347", "details": ["Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible."], "name": "CVE-2022-46176", "package_state": [{"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Not affected", "package_name": "rust-toolset-1.62-rust", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Not affected", "package_name": "rust-toolset-1.66-rust", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "rust-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-01-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-46176\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-46176"], "threat_severity": "Moderate"}