Published: 04/08/2023 Updated: 17/08/2023

CVSS v3 Base Score: 7.3 | Impact Score: 5.9 | Exploitability Score: 1.3

VMScore: 0

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rust-lang cargo
fedoraproject fedora 38

Debian Bug report logs - #1043553 cargo: CVE-2023-38497 Package: src:cargo; Maintainer for src:cargo is Rust Maintainers <pkg-rust-maintainers@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 12 Aug 2023 21:15:02 UTC Severity: important Tags: security, upstream Found in vers ...

Synopsis Important: rust-toolset:rhel8 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the rust-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security h ...

Synopsis Important: rust-toolset-166-rust security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rust-toolset-166-rust is now available for Red Hat Developer ToolsRed Hat Product Security has rat ...

Synopsis Important: rust security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rust is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a securi ...

Cargo downloads the Rust project's dependencies and compiles the project Cargo prior to version 0722, bundled with Rust prior to version 1711, did not respect the umask when extracting crate archives on UNIX-like systems If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to chang ...

CWE-278 https://github.com/rust-lang/cargo/pull/12443 https://en.wikipedia.org/wiki/Umask https://www.rust-lang.org/policies/security https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043553 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2023-2223.html

CVE-2023-38497

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect