Cargo not respecting umask when extracting crate archives
CVE-2023-38497

7.8HIGH

Key Information:

Vendor
Rust-lang
Status
Cargo
Vendor
CVE Published:
4 August 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Cargo, the package manager for the Rust programming language, exhibits a vulnerability that arises from not respecting umask settings when extracting crate archives on UNIX-like systems. This oversight allows local users to exploit the system by modifying the source code prepared for compilation and execution by other users. Users mitigating this risk can update to Cargo version 0.72.2 or later, which implements a mechanism to purge caches created by previous versions. Additionally, it's advisable to configure system permissions to restrict access to the Cargo directory, typically found in ~/.cargo, thereby shielding sensitive builds from unauthorized local modifications.

Affected Version(s)

cargo < 0.72.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cargo-perm
Created by lucas-cauhe

References

https://github.com/rust-lang/cargo/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/rust-lang/cargo/pull/12443
x_refsource_MISC
https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b9...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.