GHSA-mc8h-8q98-g5hr

Suggest an improvement
Source
https://github.com/advisories/GHSA-mc8h-8q98-g5hr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mc8h-8q98-g5hr
Aliases
Related
Published
2023-02-24T16:23:59Z
Modified
2023-11-08T04:21:01.612080Z
Summary
Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all
Details

The remove_dir_all crate is a Rust library that offers additional features over the Rust standard library fs::remove_dir_all function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.

Thanks to the Rust security team for identifying the problem and alerting us to it.

Database specific 
{
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-366",
        "CWE-367"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2023-02-24T16:23:59Z"
}
References

Affected packages

crates.io / remove_dir_all

Package

Name
remove_dir_all
View open source insights on deps.dev
Purl
pkg:cargo/remove_dir_all

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.0