Vulnerability DatabaseCVE-2023-38497

CVE-2023-38497:
Rust vulnerability analysis and mitigation

Overview

CVE-2023-38497 affects Cargo, the package manager for the Rust programming language, in versions prior to 0.72.2 (bundled with Rust prior to version 1.71.1). The vulnerability was discovered and disclosed on August 3, 2023. The issue affects UNIX-like systems (like macOS and Linux) where Cargo failed to respect the umask when extracting crate archives (Rust Blog, GitHub Advisory).

Technical details

The vulnerability stems from Cargo not respecting the system's umask settings when extracting crate archives. In UNIX-like systems, each file has three sets of permissions: for the user owning the file, for the group owning the file, and for all other local users. The umask is configured to limit those permissions during file creation, removing dangerous ones. When Cargo downloads a dependency, it extracts the source code to disk for compilation, but it propagated the permissions stored in the crate archive as-is, bypassing the system's umask protection (GitHub Advisory).

Impact

If a user downloaded a crate containing files writeable by any local user, another local user could exploit this vulnerability to modify the source code that would be compiled and executed by the current user. This could potentially lead to code execution with the privileges of the user compiling the code (NVD).

Mitigation and workarounds

The primary mitigation is to update to Rust version 1.71.1 or later, which includes Cargo 0.72.2 that fixes the vulnerability. The fixed version respects the umask when extracting crate archives and will automatically purge caches generated by older versions. For users unable to update, a workaround is to prevent other local users from accessing the Cargo directory using the command: chmod go= ~/.cargo (GitHub Advisory).

Community reactions

The vulnerability was responsibly disclosed by Addison Crump according to the Rust security policy. The Rust Security Response WG coordinated the disclosure, with Weihang Lo developing the fix and Eric Huss reviewing it. Major Linux distributions like Fedora quickly released security updates to address the vulnerability (Fedora Update).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

7.3

Score

Published August 4, 2023

Severity HIGH

CNA Score 7.9

Affected Technologies

Rust
NixOS

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 90

Exploitation Probability (EPSS) 5.7

Affected packages and libraries

rust-toolset:rhel8::rust-src
rust-toolset:rhel8::rls

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Aug 20, 2023
- AlmaLinux 9 Severity HIGHHas FixAdded at: Aug 16, 2023
Alpine Security Tracker
- Alpine 3.18 Severity HIGHHas FixAdded at: Aug 13, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine 3.23 Severity HIGHHas FixAdded at: Dec 04, 2025
- Alpine edge Severity HIGHHas FixAdded at: Aug 06, 2023
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Oct 13, 2023
Debian Security Tracker
- Debian 10, 11 Severity MEDIUMNo FixAdded at: Aug 06, 2023
- Debian 13 Severity HIGHHas FixAdded at: Aug 06, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Sep 22, 2024
GitHub Advisory Database
- Rust Severity HIGHHas FixAdded at: Dec 26, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Nov 01, 2023
Red Hat Errata
- Red Hat 8 Severity HIGHHas FixAdded at: Aug 06, 2023
- Red Hat 9 Severity HIGHHas FixAdded at: Aug 06, 2023
Rocky Linux Product Errata
- Rocky 9 Severity HIGHHas FixAdded at: Sep 24, 2023
Ubuntu Security Tracker
- Ubuntu 16.04 Severity MEDIUMHas FixAdded at: Nov 13, 2023
- Ubuntu 18.04, 20.04, 22.04 Severity MEDIUMHas FixAdded at: Aug 06, 2023
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Rust vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-65807	HIGH	8.4	Rust	sd	No	No	Dec 10, 2025
CVE-2025-66627	HIGH	7.8	Rust	typst	No	Yes	Dec 09, 2025
CVE-2025-67487	MEDIUM	5.5	Rust	static-web-server	No	Yes	Dec 09, 2025
CVE-2025-66622	LOW	1.3	Rust	matrix-sdk-base	No	Yes	Dec 09, 2025
RUSTSEC-2025-0135	N/A	N/A	Rust	matrix-sdk-base	No	Yes	Dec 08, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2023-38497: Rust vulnerability analysis and mitigation