Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for nfpm by goreleaser

    CVE-2023-32698 (GCVE-0-2023-32698)

    Vulnerability from nvd – Published: 2023-05-30 03:56 – Updated: 2025-01-10 20:36
    VLAI
    Title
    nfpm vulnerable to Incorrect Default Permissions
    Summary
    nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    goreleaser nfpm Affected: >= 2.0.0, < 2.29.0
    Affected: >= 0.1.0, < 2.29.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:25:36.897Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
              },
              {
                "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
              },
              {
                "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32698",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-10T20:36:13.134834Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-10T20:36:22.810Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nfpm",
              "vendor": "goreleaser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.29.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 0.1.0, \u003c 2.29.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T03:56:30.807Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
            },
            {
              "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
            },
            {
              "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
            }
          ],
          "source": {
            "advisory": "GHSA-w7jw-q4fg-qc4c",
            "discovery": "UNKNOWN"
          },
          "title": "nfpm vulnerable to Incorrect Default Permissions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32698",
        "datePublished": "2023-05-30T03:56:30.807Z",
        "dateReserved": "2023-05-11T16:33:45.734Z",
        "dateUpdated": "2025-01-10T20:36:22.810Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32698 (GCVE-0-2023-32698)

    Vulnerability from cvelistv5 – Published: 2023-05-30 03:56 – Updated: 2025-01-10 20:36
    VLAI
    Title
    nfpm vulnerable to Incorrect Default Permissions
    Summary
    nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    goreleaser nfpm Affected: >= 2.0.0, < 2.29.0
    Affected: >= 0.1.0, < 2.29.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:25:36.897Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
              },
              {
                "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
              },
              {
                "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32698",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-10T20:36:13.134834Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-10T20:36:22.810Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nfpm",
              "vendor": "goreleaser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.29.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 0.1.0, \u003c 2.29.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276: Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T03:56:30.807Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
            },
            {
              "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
            },
            {
              "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
            }
          ],
          "source": {
            "advisory": "GHSA-w7jw-q4fg-qc4c",
            "discovery": "UNKNOWN"
          },
          "title": "nfpm vulnerable to Incorrect Default Permissions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32698",
        "datePublished": "2023-05-30T03:56:30.807Z",
        "dateReserved": "2023-05-11T16:33:45.734Z",
        "dateUpdated": "2025-01-10T20:36:22.810Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }