What is CVE-2022-46176?

CVE-2022-46176 is a medium-severity vulnerability in Rust-lang Cargo, classified under Improper Verification of Cryptographic Signature. CVSS score: 5.3/10. Published 2023-01-11.

How severe is CVE-2022-46176?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2022-46176 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Rust-lang Cargo

CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MI…

EPSS: 0.001 (35.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.

Affected products

Rust-lang Cargo — versions <= 0.67.0

Weakness classification (CWE)

CWE-347 — Improper Verification of Cryptographic Signature

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2022-46176?: CVE-2022-46176 is a medium-severity vulnerability in Rust-lang Cargo, classified under Improper Verification of Cryptographic Signature. CVSS score: 5.3/10. Published 2023-01-11.
How severe is CVE-2022-46176?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2022-46176 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.