What is CVE-2022-36114?

CVE-2022-36114 is a medium-severity vulnerability in Rust-lang Cargo, classified under Uncontrolled Resource Consumption. CVSS score: 4.8/10. Published 2022-09-14.

How severe is CVE-2022-36114?

Medium severity. CVSS v3 base score is 4.8 out of 10.

Is CVE-2022-36114 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Rust-lang Cargo

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package t…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.005 (65.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H.

Affected products

Rust-lang Cargo — versions < 0.65.0, = 0.66.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

Public proof-of-concept exploits

ARPSyndicate/cvemon

References

https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp (x_refsource_CONFIRM)
https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-36114?: CVE-2022-36114 is a medium-severity vulnerability in Rust-lang Cargo, classified under Uncontrolled Resource Consumption. CVSS score: 4.8/10. Published 2022-09-14.
How severe is CVE-2022-36114?: Medium severity. CVSS v3 base score is 4.8 out of 10.
Is CVE-2022-36114 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.