Vulnerability Details
Basic Information
| Title | MGASA-2025-0136 Updated rust packages fix security vulnerability |
|---|---|
| Type | osv |
| Published | 2025-04-17T17:37:29 |
| Last Seen | 2025-04-17T23:35:59 |
| CVSS Score | 10.0 (CRITICAL) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
CVE Information
| CVE IDs | CVE-2024-24576 |
|---|---|
| CWE | |
| Bulletin Family | software |
Description
The Rust Security Response WG was notified that the Rust standard
library did not properly escape arguments when invoking batch files
(with the bat and cmd extensions) on Windows using the Command API. An
attacker able to control the arguments passed to the spawned process
could execute arbitrary shell commands by bypassing the escaping.
The severity of this vulnerability is critical if you are invoking batch
files on Windows with untrusted arguments. No other platform or use is
affected.
We update to rust 1.78.0 for future mesa updates in mageia 9.
library did not properly escape arguments when invoking batch files
(with the bat and cmd extensions) on Windows using the Command API. An
attacker able to control the arguments passed to the spawned process
could execute arbitrary shell commands by bypassing the escaping.
The severity of this vulnerability is critical if you are invoking batch
files on Windows with untrusted arguments. No other platform or use is
affected.
We update to rust 1.78.0 for future mesa updates in mageia 9.
Impact Assessment
| Base Score | 10.0 |
|---|---|
| Severity | CRITICAL |