A bad vulnerability? Absolutely... A 10/10? That feels a bit egregious https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh

I think it's because it's basically arbitrary code execution for things that accept the names of uploaded files and run CMD on them. Like if you accept image uploads and then run a quick CMD script to extract some metadata and apply some compression if it's too large. It's a bit of a niche scenario, but definitely that dangerous.

Yeah, I can see it, but like - run on a batch file, and then accept arbitrary unsanitized code, only on windows, etc etc etc. It was patched yesterday, so meh. But, at the same time - there was a Palo Alto firewall remote execution attack vulnerability. THAT feels like a 10++ according to this scale

It wasn't (supposed) to be unsanitised, though. The API was supposed to pass them as individual arguments (like argv), in which case not sanitising them yourself would be "fine". I guess there isn't a separate scale/score for the difficulty of a developer making their code vulnerable.

100% - I agree it's bad, but yeah, the dynamic range of these vulnerability ratings is pretty narrow 🙂

yeah, there should be a number somewhere to differentiate log4j (every java app ever) from this (how many rust devs are calling out to cmd.exe for the ultimate

unsafe

)