7.1

CVE-2023-32698

Exploit

EPSS 0.21%
Veröffentlicht 30.05.2023 04:15:10
Zuletzt bearbeitet 21.11.2024 08:03:52
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged 
the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Goreleaser ≫ Nfpm Version >= 0.1.0 < 2.29.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.425

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30

Patch

https://github.com/goreleaser/nfpm/releases/tag/v2.29.0

Release Notes

https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-32698

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32698

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32698

EUVD