7.9

CVE-2023-38497

EPSS 5.66%
Veröffentlicht 04.08.2023 16:15:10
Zuletzt bearbeitet 21.11.2024 08:13:41
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rust-lang ≫ Cargo SwPlatformrust Version < 0.72.2

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.66%	0.9

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	7.9	1.5	5.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE-278 Insecure Preserved Inherited Permissions

A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://en.wikipedia.org/wiki/Umask

Not Applicable

https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff

Patch

https://github.com/rust-lang/cargo/pull/12443

Patch

Mailing List

https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87

Vendor Advisory

https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/

https://www.rust-lang.org/policies/security

Product

https://nvd.nist.gov/vuln/detail/CVE-2023-38497

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-38497

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-38497

EUVD