cargo (crates.io) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the crates.io package cargo, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2023-38497 — CVSS 7.9 (high): Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to…
CVE-2023-40030 — CVSS 6.1 (medium): Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape…
CVE-2022-46176 — CVSS 5.3 (medium): Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when…
CVE-2022-36114 — CVSS 4.8 (medium): Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from…
CVE-2019-16760 — CVSS 4.6 (medium): Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Usage of the…
CVE-2022-36113 — CVSS 4.6 (medium): Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo…