GHSA-cgw6-f3mj-h742: 
Rust vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in the rust-embed package affecting versions prior to 6.3.0. The vulnerability, identified as GHSA-cgw6-f3mj-h742, was discovered on November 27, 2021, and published to the GitHub Advisory Database on June 17, 2022. The issue occurs when running in debug mode and the debug-embed feature (which is off by default) is not enabled, where the generated get method fails to verify if the input path is a child of the specified folder (RustSec Advisory, GitHub Advisory).

The vulnerability is classified as CWE-22 and carries a Moderate severity rating. The issue stems from the get method's implementation, which fails to properly validate file paths. When the application runs in debug mode without the debug-embed feature enabled, attackers can manipulate file paths to access files outside the intended directory structure. This is achieved through path traversal sequences (../), allowing access to arbitrary files in the filesystem when an attacker controls the filename input (GitHub Advisory).

The vulnerability enables attackers with control over filename inputs to read arbitrary files from the system's filesystem. For example, an attacker could potentially access sensitive system files such as /etc/passwd by using path traversal sequences, leading to unauthorized access to confidential system information (RustSec Advisory).

The vulnerability has been patched in version 6.3.0 of rust-embed. The fix involves canonicalizing the input filename and ensuring it starts with the canonicalized folder path, preventing directory traversal attempts. Users are advised to upgrade to version 6.3.0 or later to address this security issue (GitHub Advisory).