Insecure Preserved Inherited Permissions Affecting cargo package, versions >=0.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-CARGO-5819552
  • published4 Aug 2023
  • disclosed3 Aug 2023
  • creditaddisoncrump

Introduced: 3 Aug 2023

CVE-2023-38497  (opens in a new tab)
CWE-278  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

cargo is a Cargo, a package manager for Rust.

Affected versions of this package are vulnerable to Insecure Preserved Inherited Permissions such that it does not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user.

Note:

All Rust versions before 1.71.1 on UNIX-like systems (like macOS and Linux) are affected. Note that additional system-dependent security measures configured on the local system might prevent the vulnerability from being exploited.

Users on Windows and other non-UNIX-like systems are not affected.

CVSS Scores

version 3.1