CVE-2023-38497 – Cargo, Rust's package manager, didn't respect t... (How to Fix)

Q: How do I fix CVE-2023-38497?

1. Update Rust using rustup: `rustup update stable` 2. Verify Cargo version: `cargo --version` should show 0.72.2 or higher 3. Cargo will automatically purge old caches on first run after update.

Q: What is the severity of CVE-2023-38497?

CVE-2023-38497 has a CVSS score of 7.9 (HIGH). Cargo, Rust's package manager, didn't respect the umask when extracting crate archives on UNIX-like systems, allowing local users to modify downloaded dependencies. This could let attackers alter source code compiled and executed by other users. Affects Rust projects using Cargo versions before 0.72.2 on UNIX-like systems.

📋 TL;DR

Cargo, Rust's package manager, didn't respect the umask when extracting crate archives on UNIX-like systems, allowing local users to modify downloaded dependencies. This could let attackers alter source code compiled and executed by other users. Affects Rust projects using Cargo versions before 0.72.2 on UNIX-like systems.

💻 Affected Systems

Products:

Cargo (Rust package manager)
Rust programming language

Versions: Cargo < 0.72.2, Rust < 1.71.1

Operating Systems: UNIX-like systems (Linux, macOS, BSD)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with multiple local users. Windows systems are not affected.

📦 What is this software?

Cargo by Rust Lang

View all CVEs affecting Cargo →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to arbitrary code execution as the target user, potentially compromising the entire system.

🟠

Likely Case

Local user modifies dependencies to inject malicious code into another user's Rust project, leading to data theft or further system compromise.

🟢

If Mitigated

Minimal impact if proper file permissions are enforced and systems are isolated.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local user access.

🏢 Internal Only: HIGH - Multi-user systems where untrusted users share access are at significant risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access and knowledge of target user's Cargo cache location.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cargo 0.72.2 / Rust 1.71.1

Vendor Advisory: https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87

Restart Required: No

Instructions:

1. Update Rust using rustup: `rustup update stable` 2. Verify Cargo version: `cargo --version` should show 0.72.2 or higher 3. Cargo will automatically purge old caches on first run after update.

🔧 Temporary Workarounds

Restrict Cargo directory permissions

linux

Set strict permissions on ~/.cargo directory to prevent other users from accessing it

chmod 700 ~/.cargo

🧯 If You Can't Patch

Isolate user environments to prevent local user access to others' home directories
Run Cargo builds in isolated containers or virtual machines

🔍 How to Verify

Check if Vulnerable:

Check Cargo version: `cargo --version`. If version is below 0.72.2, system is vulnerable.

Check Version:

cargo --version

Verify Fix Applied:

Run `cargo --version` and confirm version is 0.72.2 or higher. Check ~/.cargo directory permissions with `ls -la ~/.cargo`.

📡 Detection & Monitoring

Log Indicators:

Unexpected file modifications in ~/.cargo/registry/src/
Multiple users accessing same Cargo cache files

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

File integrity monitoring alerts for ~/.cargo/registry/src/ directory modifications by non-owner users

📊 Metadata

CVE ID: CVE-2023-38497

CVSS v3 Score: 7.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-278

Published: August 4, 2023

Last Updated: November 21, 2024

🔗 References

https://en.wikipedia.org/wiki/Umask Not Applicable
https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff Patch
https://github.com/rust-lang/cargo/pull/12443 Mailing List,Patch
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 Vendor Advisory
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/
https://www.rust-lang.org/policies/security Product
https://en.wikipedia.org/wiki/Umask Not Applicable
https://github.com/rust-lang/cargo/commit/d78bbf4bde3c6b95caca7512f537c6f9721426ff Patch
https://github.com/rust-lang/cargo/pull/12443 Mailing List,Patch
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87 Vendor Advisory
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGKE6PGM4HIQUHPJRBQAHMELINSGN4H4/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMEXGUGPW5OBSQA6URTBNDSU3RAEFOZ4/
https://www.rust-lang.org/policies/security Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38497, you might also want to check these: