Pyros2097

Name of the Vulnerable Software and Affected Versions: rust-embed crate versions prior to 6.3.0 Description: The issue allows attackers to read arbitrary files in the file system if they have control over the filename given, specifically when running in debug mode and the `debug-embed` feature is not enabled. This is due to the generated `get` method not checking that the input path is a child of the folder given. The flaw can be exploited by using a `../` directory traversal, as demonstrated by the ability to print the contents of `/etc/passwd` with adjusted code. Recommendations: For rust-embed crate versions prior to 6.3.0, update to version 6.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the `debug-embed` feature or restricting access to the `get` method to minimize the risk of exploitation. Additionally, ensure that input filenames are properly canonicalized and validated to prevent directory traversal attacks.