Cargo URL Normalization Vulnerability in Sparse Registries Allowing Credential Sharing

A vulnerability in Cargo versions 1.68 prior to 1.96 has been identified, where the normalization of URLs for third-party registries using the sparse index protocol was handled incorrectly. This issue arises when a hosting provider permits multiple registries to be hosted under the same domain with arbitrary names. An attacker who can publish crates in a registry could potentially access the credentials of other users within the same registry. The vulnerability's severity is considered low, given the very specific conditions required for exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized sharing of Cargo credentials between registries, allowing an attacker to intercept authentication tokens from users who download manipulated crates.

Reproduction

To reproduce this vulnerability, an attacker must first publish a crate in a registry that allows dependencies on other registries. The attacker then uploads a file to a registry index hosted on the same domain, but with a '.git' suffix, configuring it to require authentication for downloads. By publishing a crate that depends on a resource from the '.git' registry and persuading a user to download it, the Cargo tool will mistakenly share the user's credentials with the attacker's registry.

Remediation

Users can update to Cargo version 1.96 or later, which addresses this vulnerability by correcting the URL normalization process for registries using the git protocol. No remediation is available for users of earlier Cargo versions.