Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. […]

  • PlexSheep@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    8 months ago

    Yeah it seems weirdly specific. Also, if you pass user input to command args directly, you are asking for trouble.

    “An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected.”

    According to the article the following other langs are affected:

    • Erlang (documentation update)
    • Go (documentation update)
    • Haskell (patch available)
    • Java (won’t fix)
    • Node.js (patch will be available)
    • PHP (patch will be available)
    • Python (documentation update)
    • Ruby (documentation update)

    Seems like most languages don’t even treat this as a real security vulnerability?