{"id":"USN-6275-1","summary":"cargo, rust-cargo vulnerability","details":"Addison Crump discovered that Cargo incorrectly set file permissions\non UNIX-like systems when extracting crate archives. If the crate would\ncontain files writable by any user, a local attacker could possibly use\nthis issue to execute code as another user.\n","modified":"2026-05-20T16:03:31.311299927Z","published":"2023-08-03T14:30:10Z","related":["UBUNTU-CVE-2023-38497"],"upstream":["CVE-2023-38497","UBUNTU-CVE-2023-38497"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6275-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-38497"}],"affected":[{"package":{"name":"cargo","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/cargo?arch=source&distro=esm-infra-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.47.0-1~exp1ubuntu1~16.04.1+esm1"}]}],"versions":["0.8.0-1","0.16.0-0ubuntu1~16.04.1","0.18.0-0ubuntu0.16.04.1","0.22.0-0ubuntu0.16.04.1","0.23.0-0ubuntu0.16.04.1","0.25.0-1ubuntu1~16.04.1","0.26.0-0ubuntu2~16.04.1","0.29.0-1ubuntu1~16.04.1","0.31.0-3ubuntu1~16.04.1","0.32.0-1~exp1ubuntu1~16.04.1","0.33.0-1ubuntu1~16.04.1","0.35.0-0ubuntu1~16.04.1","0.36.0-0ubuntu1~16.04.1","0.37.0-3ubuntu1~16.04.1","0.38.0-0ubuntu1~16.04.1","0.40.0-3ubuntu1~16.04.1","0.42.0-0ubuntu1~16.04.1","0.44.1-0ubuntu1~16.04.1","0.47.0-1~exp1ubuntu1~16.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"cargo","binary_version":"0.47.0-1~exp1ubuntu1~16.04.1+esm1"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6275-1.json"}},{"package":{"name":"cargo","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/cargo?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1"}]}],"versions":["0.19.0-0ubuntu1","0.22.0-0ubuntu1","0.22.0-0ubuntu2","0.23.0-0ubuntu1","0.24.0-1ubuntu1","0.25.0-1ubuntu1","0.26.0-0ubuntu1","0.26.0-0ubuntu2","0.29.0-1ubuntu1~18.04.1","0.31.0-3ubuntu1~18.04.4","0.32.0-1~exp1ubuntu1~18.04.1","0.33.0-1ubuntu1~18.04.1","0.35.0-0ubuntu1~18.04.1","0.36.0-0ubuntu1~18.04.1","0.37.0-3ubuntu1~18.04.1","0.38.0-0ubuntu1~18.04.1","0.40.0-3ubuntu1~18.04.1","0.42.0-0ubuntu1~18.04.1","0.44.1-0ubuntu1~18.04.1","0.47.0-1~exp1ubuntu1~18.04.1","0.52.0-0ubuntu1~18.04.1","0.54.0-0ubuntu1~18.04.1","0.58.0-0ubuntu1~18.04.1","0.60.0ubuntu1-0ubuntu1~18.04.1","0.62.0ubuntu0libgit2-0ubuntu0.18.04.1","0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04"],"ecosystem_specific":{"binaries":[{"binary_name":"cargo","binary_version":"0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-38497"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6275-1.json"}},{"package":{"name":"cargo","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/cargo?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1"}]}],"versions":["0.37.0-3ubuntu2","0.38.0-0ubuntu1","0.39.0-0ubuntu1","0.39.0+really0.38.0-0ubuntu1","0.39.0+really0.39.0-0ubuntu1","0.40.0-3ubuntu1","0.40.0-3ubuntu2","0.41.0-0ubuntu1","0.42.0-0ubuntu1","0.44.1-0ubuntu1~20.04.1","0.47.0-1~exp1ubuntu1~20.04.1","0.52.0-0ubuntu1~20.04.1","0.54.0-0ubuntu1~20.04.1","0.58.0-0ubuntu1~20.04.1","0.60.0ubuntu1-0ubuntu1~20.04.1","0.62.0ubuntu0libgit2-0ubuntu0.20.04.1","0.66.0+ds0ubuntu0.libgit2-0ubuntu0.20.04","0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2"],"ecosystem_specific":{"binaries":[{"binary_name":"cargo","binary_version":"0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-38497"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6275-1.json"}},{"package":{"name":"cargo","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/cargo?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1"}]}],"versions":["0.52.0-0ubuntu1","0.53.0-0ubuntu2","0.54.0-0ubuntu1","0.54.0-0ubuntu2","0.57.0+ubuntu-0ubuntu1","0.58.0-0ubuntu1","0.60.0ubuntu1-0ubuntu1~22.04.1","0.62.0ubuntu0libgit2-0ubuntu0.22.04.1","0.66.0+ds0ubuntu0.libgit2-0ubuntu0.22.04","0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2"],"ecosystem_specific":{"binaries":[{"binary_name":"cargo","binary_version":"0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-38497"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6275-1.json"}},{"package":{"name":"rust-cargo","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/rust-cargo?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.57.0-1ubuntu0.1~esm1"}]}],"versions":["0.43.1-4","0.57.0-1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-cargo+openssl-dev","binary_version":"0.57.0-1ubuntu0.1~esm1"},{"binary_name":"librust-cargo-dev","binary_version":"0.57.0-1ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-38497"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6275-1.json"}}],"schema_version":"1.7.5"}