CVE-2022-46176: 
Rust vulnerability analysis and mitigation

Cargo, the Rust package manager, was found to have a security vulnerability where it did not perform SSH host key verification when cloning indexes and dependencies via SSH. This vulnerability, identified as CVE-2022-46176, affects all Rust versions containing Cargo before 1.66.1. The issue was discovered by the Julia Security Team and disclosed to the Rust Security Response WG (Rust Blog, GitHub Advisory).

When an SSH client establishes communication with a server, it should verify the server's public key against previously known keys to prevent man-in-the-middle (MITM) attacks. Cargo failed to implement these checks, performing no validation on the server's public key. The vulnerability received a CVSS v3.1 base score of 5.9 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a network-accessible vulnerability with high attack complexity (NVD).

The vulnerability could enable attackers to perform man-in-the-middle (MITM) attacks. Users were vulnerable even if they didn't explicitly use SSH for alternate registry indexes or crate dependencies, as the issue also affected cases where git was configured to replace HTTPS connections to GitHub with SSH through git's url..insteadOf setting (GitHub Advisory).

The vulnerability was fixed in Rust 1.66.1, released on January 10, 2023. The update ensures Cargo checks the SSH host key and aborts the connection if the server's public key is not already trusted. For users unable to upgrade immediately, a workaround was provided by configuring Cargo to use the git CLI instead of its built-in git support by adding '[net] git-fetch-with-cli = true' to the Cargo configuration file (GitHub Advisory, Rust Blog).