CVE-2022-46176

Name of the Vulnerable Software and Affected Versions Rust versions prior to 1.66.1

Description The issue is related to the Cargo package manager in Rust, which does not perform SSH host key verification when cloning indexes and dependencies via SSH. This allows an attacker to perform man-in-the-middle (MITM) attacks. If git is configured to replace HTTPS connections to GitHub with SSH, users might be affected even if they do not explicitly use SSH for alternate registry indexes or crate dependencies. The vulnerability can be exploited by an attacker to intercept traffic, potentially allowing them to redirect requests to a fake server.

Recommendations For Rust versions prior to 1.66.1, upgrade to Rust 1.66.1 as soon as possible to ensure Cargo checks the SSH host key and aborts the connection if the server's public key is not already trusted. As a temporary workaround, consider configuring git to not replace HTTPS connections to GitHub with SSH, or restrict the use of SSH for cloning indexes and dependencies until the issue is resolved.