NVD Vulnerability Detail
Search Exploit, PoC
CVE-2022-21658
Summary

Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.

Publication Date Jan. 21, 2022, 3:15 a.m.
Registration Date Jan. 21, 2022, 10 a.m.
Last Update Nov. 21, 2024, 3:45 p.m.
CVSS3.1 : MEDIUM
スコア 6.3
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
攻撃元区分(AV) ローカル
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更なし
機密性への影響(C) なし
完全性への影響(I)
可用性への影響(A)
CVSS2.0 : LOW
Score 3.3
Vector AV:L/AC:M/Au:N/C:N/I:P/A:P
攻撃元区分(AV) ローカル
攻撃条件の複雑さ(AC)
攻撃前の認証要否(Au) 不要
機密性への影響(C) なし
完全性への影響(I)
可用性への影響(A)
Get all privileges. いいえ
Get user privileges いいえ
Get other privileges いいえ
User operation required いいえ
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:* 1.0.0 1.58.0
Configuration2 or higher or less more than less than
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* 12.0.0 12.3
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* 15.4
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* 15.4
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* 15.4
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* 8.5
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
Rust における Time-of-check Time-of-use (TOCTOU) 競合状態の脆弱性
Title Rust における Time-of-check Time-of-use (TOCTOU) 競合状態の脆弱性
Summary

Rust には、 Time-of-check Time-of-use (TOCTOU) 競合状態の脆弱性が存在します。

Possible impacts 情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date Jan. 20, 2022, midnight
Registration Date March 23, 2023, 2:19 p.m.
Last Update April 14, 2025, 2:59 p.m.
Affected System
アップル
iOS 
iPadOS 
macOS 
tvOS 
watchOS 
Fedora Project
Fedora 
The Rust Programming Language
Rust 1.0.0 から 1.58.0
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2023年03月23日]
  掲載		 March 23, 2023, 2:19 p.m.
2 [2025年04月14日]
  参考情報:JVN (JJVNVU#90506697) を追加
  参考情報:ICS-CERT ADVISORY (ICSA-25-100-02) を追加		 April 14, 2025, 1:37 p.m.