Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.
1.51.0+dfsg1+llvm-1~exp3ubuntu11.53.0+dfsg1+llvm-4ubuntu11.54.0+dfsg2+llvm-3ubuntu11.56.0+dfsg1+llvm-2ubuntu11.56.0+dfsg1+llvm-2ubuntu21.57.0+dfsg1+llvm-0ubuntu11.57.0+dfsg1+llvm-0ubuntu21.58.1+dfsg1~ubuntu1-0ubuntu11.58.1+dfsg1~ubuntu1-0ubuntu21.59.0+dfsg1-1~ubuntu2~22.04.1+11 more1.62.1+dfsg1-1ubuntu0.22.04.11.62.1+dfsg1-1ubuntu0.22.04.31.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.041.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.11.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.22.041.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.11.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.041.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.11.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.041.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.11.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.22.041.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.11.81.0+dfsg0ubuntu0-0ubuntu0.22.041.81.0+dfsg0ubuntu0-0ubuntu0.22.04.11.82.0+dfsg0ubuntu0~jammy-0ubuntu0.22.041.82.0+dfsg0ubuntu0~jammy-0ubuntu0.22.04.11.83.0+dfsg0ubuntu2~bpo2-0ubuntu2.22.04.11.83.0+dfsg0ubuntu2~bpo2-0ubuntu2.22.04~ppa3Exploitability
AV:NAC:LAT:NPR:NUI:PVulnerable System
VC:NVI:LVA:NSubsequent System
SC:HSI:HSA:HCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H