tracing-subscriber ANSI Escape Sequence Injection Vulnerability
Vulnerability
A vulnerability allowing ANSI escape sequence injection has been identified in the tracing-subscriber crate for Rust, affecting versions prior to 0.3.20. This vulnerability could allow untrusted user input containing ANSI escape sequences to be injected into terminal output when logged. Such injection could manipulate terminal title bars, clear screens, modify terminal display, and potentially mislead users through terminal manipulation. While the impact of this vulnerability is minimal on its own, it could exploit security issues in terminal emulators that mishandle ANSI escape sequences in logs.
Impact
Exploitation could lead to misleading terminal manipulations, such as altering the terminal display or title, and could potentially exploit vulnerabilities in the terminal emulator itself, according to Packetlabs.
Remediation
Users can upgrade to tracing-subscriber version 0.3.20 or later, which addresses the vulnerability by escaping ANSI control characters when logging events to terminal-bound destinations. Alternatively, logs can be printed to terminal emulators that do not process ANSI control sequences.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.