A critical vulnerability in the Rust standard library could be exploited to target Windows systems and perform command injection attacks.
The flaw was discovered by a security engineer from Flatt Security known as RyotaK. They named it BatBadBut, reported it to the CERT Coordination Center (CERT/CC) and published an analysis on April 9, 2024.
That same day, GitHub registered it as CVE-2024-24576, with a severity score (CVSS) of 10.0.
BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the ‘CreateProcess’ function when the specific conditions are satisfied.
The high CVSS score comes from how such a score is attributed to a library.
The user guide of CVSS v3.1 states that the CVSS score of a library should be calculated based on the worst-case scenario, and this is why the recent vulnerabilities for programming languages got high scores despite the requirement of specific conditions
[Read More…](Windows: New ‘BatBadBut’ Rust Vulnerability Given Highest CVSS Score - Infosecurity Magazine (infosecurity-magazine.com))