Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Published 2023-08-04 16:15:10
Updated 2023-08-17 19:15:13
Source GitHub, Inc.
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-38497

0.04%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-38497

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.3
HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
1.3
5.9
NIST
7.9
HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
1.5
5.8
GitHub, Inc.

CWE ids for CVE-2023-38497

References for CVE-2023-38497

Products affected by CVE-2023-38497

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!