Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38497

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Published

2023-08-04T16:15:10.370

Last Modified

2024-11-21T08:13:41.803

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.9 (HIGH)

Weaknesses

Type: Secondary
CWE-278
Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rust-lang	cargo	< 0.72.2	Yes
Operating System	fedoraproject	fedora	38	Yes

References

https://en.wikipedia.org/wiki/Umask Not Applicable ([email protected])
https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff Patch ([email protected])
https://github.com/rust-lang/cargo/pull/12443 Mailing List, Patch ([email protected])
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 Vendor Advisory ([email protected])
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/ ([email protected])
https://www.rust-lang.org/policies/security Product ([email protected])
https://en.wikipedia.org/wiki/Umask Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rust-lang/cargo/pull/12443 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.rust-lang.org/policies/security Product (af854a3a-2127-422b-91ae-364da2661108)