Service Notices
Rust Command Injection Vulnerability (CVE-2024-24576)
Apr 12, 2024 GMT+08:00
I. Overview
Recently, Rust has released an official security notice, disclosing a high-risk command injection vulnerability (CVE-2024-24576) in Rust versions earlier than 1.77.2. When the Rust Command API is used to invoke batch processing files (with .bat and .cmd file extensions) on Windows, attackers can exploit this vulnerability. By bypassing the argument escape function in the Rust standard library, they can execute arbitrary shell commands on the target host. The POC of this vulnerability has been disclosed and the risk is high.
Rust is an open-source system programming language that emphasizes performance, type safety, and concurrency If you are a Rust user, check your Rust versions and implement timely security hardening.
Reference link:
https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh
https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Rust < 1.77.2
Secure versions:
Rust 1.77.2
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
https://blog.rust-lang.org/2024/04/09/Rust-1.77.2.html
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.