cvedb.io
CVE-2022-36113
MEDIUM · CVSS 4.6
EPSS exploitation probability: 0%
Published 2022-09-14T18:15:10.763 · Last modified 2026-06-17T04:52:56.910

Summary

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build

Affected products

rust-lang — cargo

Does this affect you?

Add your gear to cvedb and we'll alert you only when rust-lang ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.