In the Cargo package manager, used to manage packages and assembly of projects in Rust, a vulnerability is revealed (CVE-2022-46176), which allows a MITM attack that allows you to wedge into the channel of communication with the server. The vulnerability is caused by the lack of an open key check during the cloning of indexes and dependencies by SSH, which allows you to redirect the contact server if you have the attacking possibility of interception of traffic (for example, when controlling the wireless access point or compromising a home/office router).
The attack can be made, including on configurations that clearly do not use SSH to contact indexes or dependencies, if the Git settings are allowed to replace HTTPS connection to SSH (URL..insteadof parameter), which leads to index cloning repository Crates.io by ssh.
Vulnerability is eliminated in the release of RUST 1.66.1, in which a check of the current open key of the SSH server was implemented, which was used in past sessions. In the event of a key change in the new version, an error is displayed due to suspicion of making a MITM attack. At the first connection, instead of confirming the authenticity of the server open key, an error with information on how to add an open key to the list of keys that deserve confidence, which can affect the operation of automated assembly systems that first cloning indexes or dependence on a certain host.