CVE-2023-38497
Description
Cargo downloads the Rust projectβs dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0.76.0-1 |
| sid | Fixed | 0.76.0-1 |
| forky | Fixed | 0.76.0-1 |
| bullseye | Affected | β |
| bookworm | Affected | β |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | rust-analysis-1.66.1-2.el9_2.aarch64.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| crates.io | cargo | <0.72.2 | 0.72.2 |
References
- https://access.redhat.com/errata/RHSA-2023:4634
- https://security-tracker.debian.org/tracker/CVE-2023-38497
- https://errata.rockylinux.org/RLSA-2023:4635
- https://www.suse.com/security/cve/CVE-2023-38497.html
- https://errata.rockylinux.org/RLSA-2023:4634
- https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
- https://nvd.nist.gov/vuln/detail/CVE-2023-38497
- https://github.com/rust-lang/cargo/pull/12443
- https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff
- https://en.wikipedia.org/wiki/Umask
- https://github.com/rust-lang/cargo
- https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4
- https://www.rust-lang.org/policies/security
- https://access.redhat.com/errata/RHSA-2023:4635
- https://bugzilla.redhat.com/2228038
- https://errata.almalinux.org/8/ALSA-2023-4635.html
- https://errata.almalinux.org/9/ALSA-2023-4634.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.