CVE-2022-46176 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-46176 Interim 1 9 2023-09-08T23:24:10Z current 2023-01-13T00:42:15Z 2023-09-08T23:24:10Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-46176 Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2023-January/013519.html E-Mail link for SUSE-CU-2023:205-1 https://lists.suse.com/pipermail/sle-security-updates/2023-January/013520.html E-Mail link for SUSE-CU-2023:206-1 https://lists.suse.com/pipermail/sle-security-updates/2023-January/013516.html E-Mail link for SUSE-SU-2023:0132-1 https://lists.suse.com/pipermail/sle-security-updates/2023-January/013517.html E-Mail link for SUSE-SU-2023:0133-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container bci/rust:1.65-13.5 Container bci/rust:1.66 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Server 15 SP4-TERADATA SUSE Linux Enterprise Server Business Critical Linux 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Leap 15.4 openSUSE Tumbleweed cargo cargo1.65-1.65.0-150300.7.9.1 cargo1.65-1.65.0-4.1 cargo1.66-1.66.0-150400.9.9.1 cargo1.66-1.66.0-2.1 rls rust rust-gdb rust1.65-1.65.0-150300.7.9.1 rust1.65-1.65.0-4.1 rust1.66-1.66.0-150400.9.9.1 rust1.66-1.66.0-2.1 cargo1.65-1.65.0-150300.7.9.1 as a component of Container bci/rust:1.65-13.5 rust1.65-1.65.0-150300.7.9.1 as a component of Container bci/rust:1.65-13.5 cargo1.66-1.66.0-150400.9.9.1 as a component of Container bci/rust:1.66 rust1.66-1.66.0-150400.9.9.1 as a component of Container bci/rust:1.66 cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Enterprise Storage 7.1 rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Enterprise Storage 7.1 cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 cargo1.66-1.66.0-150400.9.9.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 rust1.66-1.66.0-150400.9.9.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA cargo1.66-1.66.0-150400.9.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA rust1.66-1.66.0-150400.9.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-TERADATA cargo1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 rust1.65-1.65.0-150300.7.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 cargo1.65-1.65.0-150300.7.9.1 as a component of openSUSE Leap 15.4 cargo1.66-1.66.0-150400.9.9.1 as a component of openSUSE Leap 15.4 rust1.65-1.65.0-150300.7.9.1 as a component of openSUSE Leap 15.4 rust1.66-1.66.0-150400.9.9.1 as a component of openSUSE Leap 15.4 cargo1.65-1.65.0-4.1 as a component of openSUSE Tumbleweed cargo1.66-1.66.0-2.1 as a component of openSUSE Tumbleweed rust1.65-1.65.0-4.1 as a component of openSUSE Tumbleweed rust1.66-1.66.0-2.1 as a component of openSUSE Tumbleweed cargo as a component of SUSE Enterprise Storage 7.1 rls as a component of SUSE Enterprise Storage 7.1 rust as a component of SUSE Enterprise Storage 7.1 rust-gdb as a component of SUSE Enterprise Storage 7.1 cargo as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS rls as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS rust as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS rust-gdb as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS cargo as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rls as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rust as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rust-gdb as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS cargo as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 rls as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 rust as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 rust-gdb as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 cargo as a component of SUSE Linux Enterprise Real Time 15 SP3 rls as a component of SUSE Linux Enterprise Real Time 15 SP3 rust as a component of SUSE Linux Enterprise Real Time 15 SP3 rust-gdb as a component of SUSE Linux Enterprise Real Time 15 SP3 rust as a component of SUSE Linux Enterprise Server Business Critical Linux 15 SP3 cargo as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 rls as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 rust as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 rust-gdb as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible. CVE-2022-46176 Container bci/rust:1.65-13.5:cargo1.65-1.65.0-150300.7.9.1 Container bci/rust:1.65-13.5:rust1.65-1.65.0-150300.7.9.1 Container bci/rust:1.66:cargo1.66-1.66.0-150400.9.9.1 Container bci/rust:1.66:rust1.66-1.66.0-150400.9.9.1 SUSE Enterprise Storage 7.1:cargo1.65-1.65.0-150300.7.9.1 SUSE Enterprise Storage 7.1:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:cargo1.66-1.66.0-150400.9.9.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Module for Development Tools 15 SP4:rust1.66-1.66.0-150400.9.9.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:cargo1.66-1.66.0-150400.9.9.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:rust1.66-1.66.0-150400.9.9.1 SUSE Linux Enterprise Real Time 15 SP3:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Real Time 15 SP3:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:cargo1.66-1.66.0-150400.9.9.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:rust1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Server 15 SP4-TERADATA:rust1.66-1.66.0-150400.9.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:cargo1.65-1.65.0-150300.7.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:rust1.65-1.65.0-150300.7.9.1 openSUSE Leap 15.4:cargo1.65-1.65.0-150300.7.9.1 openSUSE Leap 15.4:cargo1.66-1.66.0-150400.9.9.1 openSUSE Leap 15.4:rust1.65-1.65.0-150300.7.9.1 openSUSE Leap 15.4:rust1.66-1.66.0-150400.9.9.1 openSUSE Tumbleweed:cargo1.65-1.65.0-4.1 openSUSE Tumbleweed:cargo1.66-1.66.0-2.1 openSUSE Tumbleweed:rust1.65-1.65.0-4.1 openSUSE Tumbleweed:rust1.66-1.66.0-2.1 SUSE Enterprise Storage 7.1:cargo SUSE Enterprise Storage 7.1:rls SUSE Enterprise Storage 7.1:rust SUSE Enterprise Storage 7.1:rust-gdb SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:cargo SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rls SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rust SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rust-gdb SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:cargo SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rls SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rust SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rust-gdb SUSE Linux Enterprise Module for Development Tools 15 SP3:cargo SUSE Linux Enterprise Module for Development Tools 15 SP3:rls SUSE Linux Enterprise Module for Development Tools 15 SP3:rust SUSE Linux Enterprise Module for Development Tools 15 SP3:rust-gdb SUSE Linux Enterprise Real Time 15 SP3:cargo SUSE Linux Enterprise Real Time 15 SP3:rls SUSE Linux Enterprise Real Time 15 SP3:rust SUSE Linux Enterprise Real Time 15 SP3:rust-gdb SUSE Linux Enterprise Server Business Critical Linux 15 SP3:rust SUSE Linux Enterprise Server for SAP Applications 15 SP3:cargo SUSE Linux Enterprise Server for SAP Applications 15 SP3:rls SUSE Linux Enterprise Server for SAP Applications 15 SP3:rust SUSE Linux Enterprise Server for SAP Applications 15 SP3:rust-gdb important 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H