CVE-2023-32698

Published: May 30, 2023Modified: Nov 21, 2024

7.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.8 / Impact: 5.2

Source: NVD

Description

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

Affected (1)

Products: Goreleaser: Nfpm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Goreleaser Nfpm	From 0.1.0 to 2.29.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (6)

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30

Source: security-advisories@github.com

Patch

https://github.com/goreleaser/nfpm/releases/tag/v2.29.0

Source: security-advisories@github.com

Release Notes

https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/goreleaser/nfpm/releases/tag/v2.29.0

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationVendor Advisory

Timeline

No history available yet.