There is a vulnerability in the Cargo package manager, which is used to manage packets and assembly of projects in RUST. This vulnerability, identified as CVE-2023-38497, is caused by the failure to account for the value umask during the process of extracting files from packages on unix-like systems. As a result, the extracted files are installed with the initial access rights specified in the archive.
If the archive contains files with rights that allow all users, these rights will not be cleaned during the unpacking process. This means that any local user can modify the dependency code and execute their own code when the project is compiled and executed by another user. The vulnerability has been addressed in the latest release of RUST, version 1.71.1.