Lucene search
K
Rust-langCargo

6 matches found

CVE
CVE
added 2023/08/04 3:51 p.m.329 views

CVE-2023-38497

CVE-2023-38497 concerns Cargo and Rust: older Cargo (pre-0.72.2) bundled with Rust pre-1.71.1 did not respect the umask when extracting crate archives, allowing a local-privilege-like impact where a local user could alter source code being compiled and executed by the current user. The issue is m...

7.9CVSS6.9AI score0.00763EPSS
CVE
CVE
added 2023/01/11 8:7 p.m.270 views

CVE-2022-46176

Cargo for Rust did not verify SSH host keys when cloning indexes/dependencies via SSH, enabling potential MITM attacks. All Rust versions containing Cargo before 1.66.1 are affected; upgrading to Cargo/Rust 1.66.1 fixes the SSH host key verification behavior by aborting connections if the server ...

5.9CVSS5.3AI score0.00649EPSS
CVE
CVE
added 2022/09/14 12:0 a.m.84 views

CVE-2022-36113

Cargo vulnerability (CVE-2022-36113): Cargo would extract packages into ~/.cargo and mark success with a .cargo-ok file. A malicious package could include a .cargo-ok symlink; when Cargo wrote ok, it would overwrite the first two bytes of the symlink target, enabling corruption of a single file o...

8.1CVSS7.2AI score0.01004EPSS
CVE
CVE
added 2022/09/14 12:0 a.m.79 views

CVE-2022-36114

CVE-2022-36114 concerns Cargo, Rust’s package manager. The advisory states Cargo does not limit data extracted from compressed archives, enabling a zip-bomb attack when a malicious package is uploaded to an alternate registry. This could exhaust disk space on a machine downloading the package. Th...

6.5CVSS6.7AI score0.00792EPSS
CVE
CVE
added 2026/05/25 8:57 a.m.32 views

CVE-2026-5223

CVE-2026-5223 affects Cargo: symlinks inside crate tarballs from third-party registries can cause a malicious crate to override the cached source of another crate from the same registry. The issue is due to how symlinks are handled, enabling modification of source files after download. Impact is ...

6.5CVSS5.9AI score0.00294EPSS
CVE
CVE
added 2026/05/25 8:54 a.m.30 views

CVE-2026-5222

CVE-2026-5222 affects Cargo (versions 1.68–1.96) where URLs of third-party registries using the sparse index protocol are incorrectly normalized. If a hosting provider lets multiple registries share a domain with arbitrary names, an attacker who can publish crates in a registry could obtain crede...

6.5CVSS5.9AI score0.00328EPSS