CVE-2023-32698

Exploit

EPSS 0.38%
Veröffentlicht 30.05.2023 04:15:10
Zuletzt bearbeitet 21.11.2024 08:03:52
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

nfpm vulnerable to Incorrect Default Permissions

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged 
the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Goreleaser ≫ Nfpm Version >= 0.1.0 < 2.29.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.3

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30

Patch

https://github.com/goreleaser/nfpm/releases/tag/v2.29.0

Release Notes

https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-32698

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32698

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32698

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32698