3.6
CVE-2024-38531
- EPSS 0.02%
- Veröffentlicht 28.06.2024 14:15:03
- Zuletzt bearbeitet 21.11.2024 09:26:13
- Quelle security-advisories@github.com
- Teams Watchlist Login
- Unerledigt Login
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerNixOS
≫
Produkt
nix
Version
>= 2.23.0, < 2.23.1
Status
affected
Version
>= 2.22.0, < 2.22.2
Status
affected
Version
>= 2.21.0, < 2.21.3
Status
affected
Version
>= 2.20.0, < 2.20.7
Status
affected
Version
>= 2.19.0, < 2.19.5
Status
affected
Version
>= 2.18.0, < 2.18.4
Status
affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.052 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 3.6 | 1 | 2.5 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
|
CWE-278 Insecure Preserved Inherited Permissions
A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.