Cargo
CVE-2023-38497
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in ~/.cargo.
AnalysisAI
Cargo downloads the Rust project’s dependencies and compiles the project. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-278. Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in ~/.cargo. Affected products include: Rust-Lang Cargo, Fedoraproject Fedora. Version information: version 0.72.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foun
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimed
Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request
Cargo is a package manager for the rust programming language. Rated high severity (CVSS 8.1), this vulnerability is remo
Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a
Cargo is a package manager for the rust programming language. Rated medium severity (CVSS 6.5), this vulnerability is re
Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96.
Same weakness CWE-278 – Insecure Preserved Inherited Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today