Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. […]

    • PlexSheep@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      8 months ago

      Yeah it seems weirdly specific. Also, if you pass user input to command args directly, you are asking for trouble.

      “An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected.”

      According to the article the following other langs are affected:

      • Erlang (documentation update)
      • Go (documentation update)
      • Haskell (patch available)
      • Java (won’t fix)
      • Node.js (patch will be available)
      • PHP (patch will be available)
      • Python (documentation update)
      • Ruby (documentation update)

      Seems like most languages don’t even treat this as a real security vulnerability?