#VU78930 Incorrect default permissions in Cargo - CVE-2023-38497

Cybersecurity Help s.r.o.

Published: 2023-08-03 | Updated: 2023-08-04

Vulnerability identifier: #VU78930

Vulnerability risk: Low

CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2023-38497

CWE-ID: CWE-276

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
Cargo

Vendor: The Rust Programming Language

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Cargo does not respect the umask when extracting crate archives on UNIX-like systems. A local user can change the source code compiled and executed by the current user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cargo: homu-tmp - 0.72.1

External links
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

openEuler 22.03 LTS SP3 update for rust

openEuler 22.03 LTS SP4 update for rust

Amazon Linux AMI update for rust

Gentoo update for Rust

Oracle Solaris update for thrid-party components

Red HatEnterprise Linux 8 update for the rust-toolset:rhel8 module

Red Hat Enterprise Linux 9.0 Extended Update Support update for rust

Anolis OS update for rust

Fedora EPEL 7 update for rust

Fedora 37 update for rust