CVE-2021-45712

Name of the Vulnerable Software and Affected Versions: rust-embed crate versions prior to 6.3.0

Description: The issue allows attackers to read arbitrary files in the file system if they have control over the filename given, specifically when running in debug mode and the debug-embed feature is not enabled. This is due to the generated get method not checking that the input path is a child of the folder given. The flaw can be exploited by using a ../ directory traversal, as demonstrated by the ability to print the contents of /etc/passwd with adjusted code.

Recommendations: For rust-embed crate versions prior to 6.3.0, update to version 6.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the debug-embed feature or restricting access to the get method to minimize the risk of exploitation. Additionally, ensure that input filenames are properly canonicalized and validated to prevent directory traversal attacks.