{"api_version":"1","generated_at":"2026-04-23T00:41:43+00:00","cve":"CVE-2022-21658","urls":{"html":"https://cve.report/CVE-2022-21658","api":"https://cve.report/api/cve/CVE-2022-21658.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-21658","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-21658"},"summary":{"title":"CVE-2022-21658","description":"Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-01-20 18:15:00","updated_at":"2023-11-07 03:43:00"},"problem_types":["CWE-363","CWE-367"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/","name":"FEDORA-2022-06569a0a60","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-afterburn-5.2.0-4.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/","name":"FEDORA-2022-2c73789458","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-1.58.1-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202210-09","name":"GLSA-202210-09","refsource":"GENTOO","tags":[],"title":"Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/","name":"FEDORA-2022-1bafa3fc91","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: rust-1.58.1-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/","name":"FEDORA-2022-2c73789458","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-1.58.1-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rust-lang/rust/pull/93110","name":"https://github.com/rust-lang/rust/pull/93110","refsource":"MISC","tags":[],"title":"[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/","name":"FEDORA-2022-1b76e3a192","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: rust-afterburn-5.2.0-4.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/","name":"FEDORA-2022-1b76e3a192","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: rust-afterburn-5.2.0-4.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/kb/HT213193","name":"https://support.apple.com/kb/HT213193","refsource":"CONFIRM","tags":[],"title":"About the security content of watchOS 8.5 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html","name":"https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html","refsource":"MISC","tags":[],"title":"Security advisory for the standard library (CVE-2022-21658) | Rust Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714","name":"https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714","refsource":"MISC","tags":[],"title":"[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT213186","name":"https://support.apple.com/kb/HT213186","refsource":"CONFIRM","tags":[],"title":"About the security content of tvOS 15.4 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/","name":"FEDORA-2022-1bafa3fc91","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: rust-1.58.1-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2","name":"https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2","refsource":"CONFIRM","tags":[],"title":"Race condition in std::fs::remove_dir_all · Advisory · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946","name":"https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946","refsource":"MISC","tags":[],"title":"[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT213182","name":"https://support.apple.com/kb/HT213182","refsource":"CONFIRM","tags":[],"title":"About the security content of iOS 15.4 and iPadOS 15.4 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/","name":"FEDORA-2022-06569a0a60","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: rust-afterburn-5.2.0-4.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf","name":"https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf","refsource":"MISC","tags":[],"title":"[stable] Fix CVE 2022 21658 and prepare 1.58.1 by pietroalbini · Pull Request #93110 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT213183","name":"https://support.apple.com/kb/HT213183","refsource":"CONFIRM","tags":[],"title":"About the security content of macOS Monterey 12.3 - Apple Support (PH)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-21658","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21658","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"ipados","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"iphone_os","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"macos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"tvos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"watchos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21658","vulnerable":"1","versionEndIncluding":"1.58.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rust-lang","cpe5":"rust","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-21658","qid":"159842","title":"Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2022-1894)"},{"cve":"CVE-2022-21658","qid":"184303","title":"Debian Security Update for rustc (CVE-2022-21658)"},{"cve":"CVE-2022-21658","qid":"240316","title":"Red Hat Update for rust-toolset:rhel8 security (RHSA-2022:1894)"},{"cve":"CVE-2022-21658","qid":"282280","title":"Fedora Security Update for rust (FEDORA-2022-2c73789458)"},{"cve":"CVE-2022-21658","qid":"282281","title":"Fedora Security Update for rust (FEDORA-2022-1bafa3fc91)"},{"cve":"CVE-2022-21658","qid":"282301","title":"Fedora Security Update for rust (FEDORA-2022-c4071e3dc7)"},{"cve":"CVE-2022-21658","qid":"282328","title":"Fedora Security Update for rust (FEDORA-2022-7ec8bda833)"},{"cve":"CVE-2022-21658","qid":"282351","title":"Fedora Security Update for rust (FEDORA-2022-1b76e3a192)"},{"cve":"CVE-2022-21658","qid":"282381","title":"Fedora Security Update for rust (FEDORA-2022-06569a0a60)"},{"cve":"CVE-2022-21658","qid":"353978","title":"Amazon Linux Security Advisory for rust : ALAS2-2022-1817"},{"cve":"CVE-2022-21658","qid":"6140317","title":"AWS Bottlerocket Security Update for libstd-rust (GHSA-gvh9-whw5-fc42)"},{"cve":"CVE-2022-21658","qid":"690782","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for rust (ee26f513-826e-11ec-8be6-d4c9ef517024)"},{"cve":"CVE-2022-21658","qid":"710640","title":"Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)"},{"cve":"CVE-2022-21658","qid":"751637","title":"OpenSUSE Security Update for rust1.56 (openSUSE-SU-2022:0149-1)"},{"cve":"CVE-2022-21658","qid":"751655","title":"SUSE Enterprise Linux Security Update for rust (SUSE-SU-2022:0200-1)"},{"cve":"CVE-2022-21658","qid":"751663","title":"OpenSUSE Security Update for rust1.55 (openSUSE-SU-2022:0171-1)"},{"cve":"CVE-2022-21658","qid":"751665","title":"OpenSUSE Security Update for rust1.57 (openSUSE-SU-2022:0175-1)"},{"cve":"CVE-2022-21658","qid":"751722","title":"SUSE Enterprise Linux Security Update for rust (SUSE-SU-2022:0491-1)"},{"cve":"CVE-2022-21658","qid":"751747","title":"OpenSUSE Security Update for rust (openSUSE-SU-2022:0491-1)"},{"cve":"CVE-2022-21658","qid":"751889","title":"OpenSUSE Security Update for rust, rust1.58, rust1.59 (openSUSE-SU-2022:0843-1)"},{"cve":"CVE-2022-21658","qid":"753084","title":"SUSE Enterprise Linux Security Update for rust, rust1.58, rust1.59 (SUSE-SU-2022:0843-1)"},{"cve":"CVE-2022-21658","qid":"753290","title":"SUSE Enterprise Linux Security Update for rust1.57 (SUSE-SU-2022:0175-1)"},{"cve":"CVE-2022-21658","qid":"753341","title":"SUSE Enterprise Linux Security Update for rust1.55 (SUSE-SU-2022:0171-1)"},{"cve":"CVE-2022-21658","qid":"753472","title":"SUSE Enterprise Linux Security Update for rust1.56 (SUSE-SU-2022:0149-1)"},{"cve":"CVE-2022-21658","qid":"900620","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rust (8333)"},{"cve":"CVE-2022-21658","qid":"901744","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rust (8337-1)"},{"cve":"CVE-2022-21658","qid":"940513","title":"AlmaLinux Security Update for rust-toolset:rhel8 (ALSA-2022:1894)"},{"cve":"CVE-2022-21658","qid":"960308","title":"Rocky Linux Security Update for rust-toolset:rhel8 (RLSA-2022:1894)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-21658","STATE":"PUBLIC","TITLE":"Race condition in std::fs::remove_dir_all in rustlang"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"rust","version":{"version_data":[{"version_value":"< 1.58.1"}]}}]},"vendor_name":"rust-lang"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-363: Race Condition Enabling Link Following"}]},{"description":[{"lang":"eng","value":"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}]},"references":{"reference_data":[{"name":"https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2","refsource":"CONFIRM","url":"https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2"},{"name":"https://github.com/rust-lang/rust/pull/93110","refsource":"MISC","url":"https://github.com/rust-lang/rust/pull/93110"},{"name":"https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946","refsource":"MISC","url":"https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946"},{"name":"https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf","refsource":"MISC","url":"https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf"},{"name":"https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714","refsource":"MISC","url":"https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714"},{"name":"https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html","refsource":"MISC","url":"https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html"},{"refsource":"FEDORA","name":"FEDORA-2022-1bafa3fc91","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/"},{"refsource":"FEDORA","name":"FEDORA-2022-2c73789458","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/"},{"refsource":"FEDORA","name":"FEDORA-2022-1b76e3a192","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/"},{"refsource":"FEDORA","name":"FEDORA-2022-06569a0a60","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213183","url":"https://support.apple.com/kb/HT213183"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213182","url":"https://support.apple.com/kb/HT213182"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213186","url":"https://support.apple.com/kb/HT213186"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213193","url":"https://support.apple.com/kb/HT213193"},{"refsource":"GENTOO","name":"GLSA-202210-09","url":"https://security.gentoo.org/glsa/202210-09"}]},"source":{"advisory":"GHSA-r9cc-f5pr-p3j2","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-01-20 18:15:00","lastModifiedDate":"2023-11-07 03:43:00","problem_types":["CWE-363","CWE-367"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":1,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:N/I:P/A:P","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":3.3},"severity":"LOW","exploitabilityScore":3.4,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndIncluding":"1.58.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0.0","versionEndExcluding":"12.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*","versionEndExcluding":"15.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","versionEndExcluding":"15.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*","versionEndExcluding":"15.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*","versionEndExcluding":"8.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"21658","Ordinal":"221400","Title":"CVE-2022-21658","CVE":"CVE-2022-21658","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"21658","Ordinal":"1","NoteData":"Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"21658","Ordinal":"2","NoteData":"2022-01-20","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"21658","Ordinal":"3","NoteData":"2022-02-12","Type":"Other","Title":"Modified"}]}}}