3.6
CVE-2024-38531
- EPSS 0.02%
- Veröffentlicht 28.06.2024 14:15:03
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nix sandbox escape
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerNixOS
≫
Produkt
nix
Version
>= 2.23.0, < 2.23.1
Status
affected
Version
>= 2.22.0, < 2.22.2
Status
affected
Version
>= 2.21.0, < 2.21.3
Status
affected
Version
>= 2.20.0, < 2.20.7
Status
affected
Version
>= 2.19.0, < 2.19.5
Status
affected
Version
>= 2.18.0, < 2.18.4
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.052 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 3.6 | 1 | 2.5 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
|
CWE-278 Insecure Preserved Inherited Permissions
A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.