CVE-2023-32698

nfpm vulnerable to Incorrect Default Permissions

CVSS 7.1 HIGHEPSS 0.4%CWE-276

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

30 mai 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Produtos afetados

goreleaser · nfpm

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c