Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-n4fu-fzu3-sbex

Summary

Cargo did not verify SSH host keys
The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks.

This vulnerability has been assigned CVE-2022-46176.

## Overview

When an SSH client establishes communication with a server, to prevent MITM attacks the client should check whether it already communicated with that server in the past and what the server's public key was back then. If the key changed since the last connection, the connection must be aborted as a MITM attack is likely taking place.

It was discovered that Cargo never implemented such checks, and performed no validation on the server's public key, leaving Cargo users vulnerable to MITM attacks.

## Affected Versions

All Rust versions containing Cargo before 1.66.1 are vulnerable (prior to 0.67.1 for the crates.io package).

Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH.

## Mitigations

We will be releasing Rust 1.66.1 today, 2023-01-10, changing Cargo to check the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.

Patch files for Rust 1.66.0 are also available [here][2] for custom-built toolchains.

For the time being Cargo will not ask the user whether to trust a server's public key during the first connection. Instead, Cargo will show an error message detailing how to add that public key to the list of trusted keys. Note that this might break your automated builds if the hosts you clone dependencies or indexes from are not already trusted.

If you can't upgrade to Rust 1.66.1 yet, we recommend configuring Cargo to use the `git` CLI instead of its built-in git support. That way, all git network operations will be performed by the `git` CLI, which is not affected by this vulnerability. You can do so by adding this snippet to your [Cargo configuration file](https://doc.rust-lang.org/cargo/reference/config.html):

```toml
[net]
git-fetch-with-cli = true
```

## Acknowledgments

Thanks to the Julia Security Team for disclosing this to us according to our [security policy][3]!

We also want to thank the members of the Rust project who contributed to fixing this issue. Thanks to Eric Huss and Weihang Lo for writing and reviewing the patch, Pietro Albini for coordinating the disclosure and writing this advisory, and Josh Stone, Josh Triplett and Jacob Finkelman for advising during the disclosure.

[1]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf
[2]: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
[3]: https://www.rust-lang.org/policies/security

Aliases

alias	CVE-2022-46176

alias	GHSA-r5w3-xm58-jv6j

Fixed_packages

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=v3.19&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=loongarch64&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=riscv64&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=edge&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=edge&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=edge&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=riscv64&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.20&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.20&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=v3.20&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=loongarch64&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=riscv64&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.22&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.22&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=v3.22&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=loongarch64&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=riscv64&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.23&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.23&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=v3.23&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armv7&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armv7&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=loongarch64&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=loongarch64&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=riscv64&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=riscv64&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.21&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.21&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=v3.21&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=armhf&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=armhf&distroversion=v3.19&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=ppc64le&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=ppc64le&distroversion=v3.19&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=s390x&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=s390x&distroversion=v3.19&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86&distroversion=v3.19&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=x86_64&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=x86_64&distroversion=v3.19&reponame=main

url	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.19&reponame=main
purl	pkg:apk/alpine/rust@1.66.1-r0?arch=aarch64&distroversion=v3.19&reponame=main
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/rust@1.66.1-r0%3Farch=aarch64&distroversion=v3.19&reponame=main

url	pkg:cargo/cargo@0.67.1
purl	pkg:cargo/cargo@0.67.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:cargo/cargo@0.67.1

url	pkg:deb/debian/cargo@0.66.0%2Bds1-1?distro=bullseye
purl	pkg:deb/debian/cargo@0.66.0%2Bds1-1?distro=bullseye
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cargo@0.66.0%252Bds1-1%3Fdistro=bullseye

url	pkg:deb/debian/cargo@0.66.0%2Bds1-1
purl	pkg:deb/debian/cargo@0.66.0%2Bds1-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/cargo@0.66.0%252Bds1-1

url pkg:deb/debian/rust-cargo@0.66.0-1?distro=trixie

purl pkg:deb/debian/rust-cargo@0.66.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19kb-chr9-x7fm

vulnerability	VCID-fa6z-bb5y-jbg8

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-cargo@0.66.0-1%3Fdistro=trixie

url pkg:deb/debian/rust-cargo@0.66.0-1

purl pkg:deb/debian/rust-cargo@0.66.0-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19kb-chr9-x7fm

vulnerability	VCID-fa6z-bb5y-jbg8

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-cargo@0.66.0-1

url	pkg:deb/debian/rust-cargo@0.86.0-2?distro=trixie
purl	pkg:deb/debian/rust-cargo@0.86.0-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-cargo@0.86.0-2%3Fdistro=trixie

url	pkg:deb/debian/rust-cargo@0.91.0-1?distro=trixie
purl	pkg:deb/debian/rust-cargo@0.91.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-cargo@0.91.0-1%3Fdistro=trixie

url	pkg:ebuild/dev-lang/rust@1.71.1
purl	pkg:ebuild/dev-lang/rust@1.71.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:ebuild/dev-lang/rust@1.71.1

url	pkg:ebuild/dev-lang/rust-bin@1.71.1
purl	pkg:ebuild/dev-lang/rust-bin@1.71.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:ebuild/dev-lang/rust-bin@1.71.1

Affected_packages

url pkg:cargo/cargo@0.67.0

purl pkg:cargo/cargo@0.67.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n4fu-fzu3-sbex

resource_url http://public2.vulnerablecode.io/packages/pkg:cargo/cargo@0.67.0

url pkg:deb/debian/cargo@0.47.0-3

purl pkg:deb/debian/cargo@0.47.0-3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n4fu-fzu3-sbex

vulnerability	VCID-r9ky-9nbm-yucw

vulnerability	VCID-ssct-y25y-3qbw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cargo@0.47.0-3

url pkg:deb/debian/cargo@0.47.0-3?distro=bullseye

purl pkg:deb/debian/cargo@0.47.0-3?distro=bullseye

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-n4fu-fzu3-sbex

vulnerability	VCID-r9ky-9nbm-yucw

vulnerability	VCID-ssct-y25y-3qbw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cargo@0.47.0-3%3Fdistro=bullseye

url pkg:deb/debian/rust-cargo@0.43.1-4?distro=trixie

purl pkg:deb/debian/rust-cargo@0.43.1-4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19kb-chr9-x7fm

vulnerability	VCID-fa6z-bb5y-jbg8

vulnerability	VCID-n4fu-fzu3-sbex

vulnerability	VCID-r9ky-9nbm-yucw

vulnerability	VCID-ssct-y25y-3qbw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-cargo@0.43.1-4%3Fdistro=trixie

url pkg:deb/debian/rust-cargo@0.43.1-4

purl pkg:deb/debian/rust-cargo@0.43.1-4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19kb-chr9-x7fm

vulnerability	VCID-fa6z-bb5y-jbg8

vulnerability	VCID-n4fu-fzu3-sbex

vulnerability	VCID-r9ky-9nbm-yucw

vulnerability	VCID-ssct-y25y-3qbw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-cargo@0.43.1-4

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46176.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46176.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-46176

reference_id

reference_type

scores

value	0.00149
scoring_system	epss
scoring_elements	0.35363
published_at	2026-04-21T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35415
published_at	2026-04-18T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35428
published_at	2026-04-16T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35388
published_at	2026-04-13T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35411
published_at	2026-04-12T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35453
published_at	2026-04-11T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35445
published_at	2026-04-09T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.3542
published_at	2026-04-08T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35374
published_at	2026-04-07T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35491
published_at	2026-04-04T12:55:00Z

value	0.00149
scoring_system	epss
scoring_elements	0.35466
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-46176

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46176
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46176

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rust-lang/cargo

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rust-lang/cargo

reference_url

https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:00:13Z/

url

https://github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j

reference_url

https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:00:13Z/

url

https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176

reference_url

https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://git-scm.com/docs/git-config#Documentation/git-config.txt-urlltbasegtinsteadOf

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-46176

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-46176

reference_url

https://www.rust-lang.org/policies/security

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.rust-lang.org/policies/security

reference_url

http://www.openwall.com/lists/oss-security/2023/11/05/6

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:00:13Z/

url

http://www.openwall.com/lists/oss-security/2023/11/05/6

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2160363
reference_id	2160363
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2160363

reference_url

http://www.openwall.com/lists/oss-security/2023/11/06/5

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:00:13Z/

url

http://www.openwall.com/lists/oss-security/2023/11/06/5

reference_url

https://github.com/advisories/GHSA-r5w3-xm58-jv6j

reference_id

GHSA-r5w3-xm58-jv6j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r5w3-xm58-jv6j

reference_url	https://security.gentoo.org/glsa/202409-07
reference_id	GLSA-202409-07
reference_type
scores
url	https://security.gentoo.org/glsa/202409-07

Weaknesses

cwe_id	347
name	Improper Verification of Cryptographic Signature
description	The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Exploits

Severity_range_score 4.0 - 7.5

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n4fu-fzu3-sbex

Vulnerability Instance