logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-4fg7-vxc8-qx5w rage

Package

Manager: cargo
Name: rage
Vulnerable Version: =0.6.0 || >=0.6.0 <0.6.1 || >=0.7.0 <0.7.2 || >=0.8.0 <0.8.2 || >=0.9.0 <0.9.3 || =0.10.0 || >=0.10.0 <0.10.1 || =0.11.0 || >=0.11.0 <0.11.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the `rage` CLI through an attacker-controlled recipient or identity string, or to the following `age` APIs when the `plugin` feature flag is enabled: - [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity) (or equivalently [`str::parse::<age::plugin::Identity>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin) - [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new) - [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient) (or equivalently [`str::parse::<age::plugin::Recipient>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::RecipientPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.RecipientPluginV1.html#method.new) On UNIX systems, a directory matching `age-plugin-*` needs to exist in the working directory for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c). Thanks to ⬡-49016 for reporting this issue.

Metadata

Created: 2024-12-18T18:21:55Z
Modified: 2025-01-03T19:29:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-4fg7-vxc8-qx5w/GHSA-4fg7-vxc8-qx5w.json
CWE IDs: ["CWE-25"]
Alternative ID: N/A
Finding: F098
Auto approve: 1