Insecure Preserved Inherited Permissions Affecting rust-cargo package, versions *


Severity

Recommended
low

Based on Debian security rating.

Threat Intelligence

EPSS
4.81% (89th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN12-RUSTCARGO-5821367
  • published4 Aug 2023
  • disclosed4 Aug 2023

Introduced: 4 Aug 2023

CVE-2023-38497  (opens in a new tab)
CWE-278  (opens in a new tab)

How to fix?

There is no fixed version for Debian:12 rust-cargo.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-cargo package and not the rust-cargo package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in ~/.cargo.

CVSS Base Scores

version 3.1