CVE-2023-38497

CVSS v3.1

7.9

High

Vector

AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Cargo versions prior to 0.72.2 Rust versions prior to 1.71.1

Description The issue is related to the Cargo package manager for the Rust programming language, which ignores umask when extracting archives created in UNIX-like systems. This could allow an attacker to execute arbitrary code if a crate containing files writable by any local user is downloaded. Another local user could exploit this to change the source code compiled and executed by the current user.

Recommendations For Cargo versions prior to 0.72.2, update to version 0.72.2 or later to resolve the issue. For Rust versions prior to 1.71.1, update to version 1.71.1 or later to resolve the issue. As a temporary workaround, configure the system to prevent other local users from accessing the Cargo directory, usually located in ~/.cargo.

Exploit

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-278

Related Identifiers

ALSA-2023:4634

ALSA-2023:4635

ALSA-2023_4634

ALSA-2023_4635

ALT-PU-2023-4714

ALT-PU-2024-2838

AZL-28510

BDU:2024-05823

CESA-2023_4635

CVE-2023-38497

GHSA-J3XP-WFR4-HX87

OESA-2025-1236

OESA-2025-1237

OPENSUSE-SU-2023_3251-1

OPENSUSE-SU-2024:13101-1

RHSA-2023:4634

RHSA-2023:4635

RHSA-2023:4651

RHSA-2023_4634

RHSA-2023_4635

RHSA-2024:3418

RHSA-2024:3428

RLSA-2023:4634

RLSA-2023:4635

SUSE-SU-2023:3251-1

SUSE-SU-2023_3251-1

USN-6275-1

Affected Products

Alt Linux

Almalinux

Cargo

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2023-38497

Weakness Enumeration

Related Identifiers

Affected Products

References · 56