CVE-2022-46176: Cargo did not verify SSH host keys
The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks.
This vulnerability has been assigned CVE-2022-46176.
References
- git-scm.com/docs/git-config
- github.com/advisories/GHSA-r5w3-xm58-jv6j
- github.com/rust-lang/cargo
- github.com/rust-lang/cargo/security/advisories/GHSA-r5w3-xm58-jv6j
- github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
- nvd.nist.gov/vuln/detail/CVE-2022-46176
- www.rust-lang.org/policies/security
Detect and mitigate CVE-2022-46176 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →