Search criteria
6 vulnerabilities found for guix by gnu
CVE-2025-59378 (GCVE-0-2025-59378)
Vulnerability from nvd – Published: 2025-09-15 00:00 – Updated: 2025-09-15 20:23
VLAI?
Summary
In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).
Severity ?
5.7 (Medium)
CWE
- CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T20:23:36.482773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T20:23:44.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Guix",
"vendor": "GNU",
"versions": [
{
"lessThan": "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnu:guix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T05:38:42.067Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/"
},
{
"url": "https://codeberg.org/guix/guix/commit/1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-59378",
"datePublished": "2025-09-15T00:00:00.000Z",
"dateReserved": "2025-09-15T00:00:00.000Z",
"dateUpdated": "2025-09-15T20:23:44.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27851 (GCVE-0-2021-27851)
Vulnerability from nvd – Published: 2021-04-26 15:35 – Updated: 2024-09-17 02:11
VLAI?
Title
Local privilege escalation in GNU Guix via guix-daemon and '--keep-failed'
Summary
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.
Severity ?
No CVSS data available.
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GNU Guix | guix-daemon |
Affected:
v0.11.0-3298-g2608e40988 , < unspecified
(custom)
Affected: unspecified , < v1.2.0-75109-g94f0312546 (custom) |
Credits
Nathan Nye of WhiteBeam Security
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gnu.org/47229"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "guix-daemon",
"vendor": "GNU Guix",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v0.11.0-3298-g2608e40988",
"versionType": "custom"
},
{
"lessThan": "v1.2.0-75109-g94f0312546",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nathan Nye of WhiteBeam Security"
}
],
"datePublic": "2021-03-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-26T15:35:28",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gnu.org/47229"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local privilege escalation in GNU Guix via guix-daemon and \u0027--keep-failed\u0027",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-03-18T00:00:00.000Z",
"ID": "CVE-2021-27851",
"STATE": "PUBLIC",
"TITLE": "Local privilege escalation in GNU Guix via guix-daemon and \u0027--keep-failed\u0027"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "guix-daemon",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v0.11.0-3298-g2608e40988"
},
{
"version_affected": "\u003c",
"version_value": "v1.2.0-75109-g94f0312546"
}
]
}
}
]
},
"vendor_name": "GNU Guix"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nathan Nye of WhiteBeam Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/",
"refsource": "MISC",
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
},
{
"name": "https://bugs.gnu.org/47229",
"refsource": "MISC",
"url": "https://bugs.gnu.org/47229"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27851",
"datePublished": "2021-04-26T15:35:28.989968Z",
"dateReserved": "2021-03-01T00:00:00",
"dateUpdated": "2024-09-17T02:11:05.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18192 (GCVE-0-2019-18192)
Vulnerability from nvd – Published: 2019-10-17 19:06 – Updated: 2024-08-05 01:47
VLAI?
Summary
GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:13.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.guix.gnu.org/issue/37744"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T23:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.guix.gnu.org/issue/37744"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.guix.gnu.org/issue/37744",
"refsource": "MISC",
"url": "https://issues.guix.gnu.org/issue/37744"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18192",
"datePublished": "2019-10-17T19:06:48",
"dateReserved": "2019-10-17T00:00:00",
"dateUpdated": "2024-08-05T01:47:13.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59378 (GCVE-0-2025-59378)
Vulnerability from cvelistv5 – Published: 2025-09-15 00:00 – Updated: 2025-09-15 20:23
VLAI?
Summary
In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended).
Severity ?
5.7 (Medium)
CWE
- CWE-669 - Incorrect Resource Transfer Between Spheres
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T20:23:36.482773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T20:23:44.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Guix",
"vendor": "GNU",
"versions": [
{
"lessThan": "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnu:guix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T05:38:42.067Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerability-2025-2/"
},
{
"url": "https://codeberg.org/guix/guix/commit/1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-59378",
"datePublished": "2025-09-15T00:00:00.000Z",
"dateReserved": "2025-09-15T00:00:00.000Z",
"dateUpdated": "2025-09-15T20:23:44.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27851 (GCVE-0-2021-27851)
Vulnerability from cvelistv5 – Published: 2021-04-26 15:35 – Updated: 2024-09-17 02:11
VLAI?
Title
Local privilege escalation in GNU Guix via guix-daemon and '--keep-failed'
Summary
A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.
Severity ?
No CVSS data available.
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GNU Guix | guix-daemon |
Affected:
v0.11.0-3298-g2608e40988 , < unspecified
(custom)
Affected: unspecified , < v1.2.0-75109-g94f0312546 (custom) |
Credits
Nathan Nye of WhiteBeam Security
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:15.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gnu.org/47229"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "guix-daemon",
"vendor": "GNU Guix",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "v0.11.0-3298-g2608e40988",
"versionType": "custom"
},
{
"lessThan": "v1.2.0-75109-g94f0312546",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nathan Nye of WhiteBeam Security"
}
],
"datePublic": "2021-03-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-26T15:35:28",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gnu.org/47229"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local privilege escalation in GNU Guix via guix-daemon and \u0027--keep-failed\u0027",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2021-03-18T00:00:00.000Z",
"ID": "CVE-2021-27851",
"STATE": "PUBLIC",
"TITLE": "Local privilege escalation in GNU Guix via guix-daemon and \u0027--keep-failed\u0027"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "guix-daemon",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "v0.11.0-3298-g2608e40988"
},
{
"version_affected": "\u003c",
"version_value": "v1.2.0-75109-g94f0312546"
}
]
}
}
]
},
"vendor_name": "GNU Guix"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nathan Nye of WhiteBeam Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security vulnerability that can lead to local privilege escalation has been found in \u2019guix-daemon\u2019. It affects multi-user setups in which \u2019guix-daemon\u2019 runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/",
"refsource": "MISC",
"url": "https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/"
},
{
"name": "https://bugs.gnu.org/47229",
"refsource": "MISC",
"url": "https://bugs.gnu.org/47229"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2021-27851",
"datePublished": "2021-04-26T15:35:28.989968Z",
"dateReserved": "2021-03-01T00:00:00",
"dateUpdated": "2024-09-17T02:11:05.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18192 (GCVE-0-2019-18192)
Vulnerability from cvelistv5 – Published: 2019-10-17 19:06 – Updated: 2024-08-05 01:47
VLAI?
Summary
GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:13.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.guix.gnu.org/issue/37744"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T23:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.guix.gnu.org/issue/37744"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user\u0027s account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.guix.gnu.org/issue/37744",
"refsource": "MISC",
"url": "https://issues.guix.gnu.org/issue/37744"
},
{
"name": "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/17/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18192",
"datePublished": "2019-10-17T19:06:48",
"dateReserved": "2019-10-17T00:00:00",
"dateUpdated": "2024-08-05T01:47:13.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}