Vulnerability-Lookup

CVE-2023-32698 (GCVE-0-2023-32698)

Vulnerability from cvelistv5 – Published: 2023-05-30 03:56 – Updated: 2025-01-10 20:36

Title

nfpm vulnerable to Incorrect Default Permissions

Summary

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-276 - Incorrect Default Permissions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/goreleaser/nfpm/security/advis…	x_refsource_CONFIRM
	https://github.com/goreleaser/nfpm/commit/ed9abdf…	x_refsource_MISC
	https://github.com/goreleaser/nfpm/releases/tag/v2.29.0	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	goreleaser	nfpm	Affected: >= 2.0.0, < 2.29.0 Affected: >= 0.1.0, < 2.29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:25:36.897Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
          },
          {
            "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
          },
          {
            "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32698",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-10T20:36:13.134834Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-10T20:36:22.810Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nfpm",
          "vendor": "goreleaser",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.29.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 2.29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276: Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-30T03:56:30.807Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
        },
        {
          "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
        },
        {
          "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
        }
      ],
      "source": {
        "advisory": "GHSA-w7jw-q4fg-qc4c",
        "discovery": "UNKNOWN"
      },
      "title": "nfpm vulnerable to Incorrect Default Permissions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32698",
    "datePublished": "2023-05-30T03:56:30.807Z",
    "dateReserved": "2023-05-11T16:33:45.734Z",
    "dateUpdated": "2025-01-10T20:36:22.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32698\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-30T04:15:10.187\",\"lastModified\":\"2024-11-21T08:03:52.560\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \\nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.\"},{\"lang\":\"es\",\"value\":\"nFPM es una alternativa a fpm. Los permisos de los archivos registrados no se manten\u00edan. Por lo tanto, cuando nfpm empaquetaba los archivos (sin configuraci\u00f3n adicional para hacer cumplir sus propios permisos) los archivos pod\u00edan salir con permisos incorrectos (chmod 666 o 777). Cualquiera que utilice nfpm para crear paquetes sin comprobar/configurar los permisos de los archivos antes de empaquetarlos podr\u00eda dar lugar a permisos incorrectos para los archivos/carpetas. \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goreleaser:nfpm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.1.0\",\"versionEndExcluding\":\"2.29.0\",\"matchCriteriaId\":\"325B45DF-6615-4FC7-B712-4A80B0661905\"}]}]}],\"references\":[{\"url\":\"https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/goreleaser/nfpm/releases/tag/v2.29.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/goreleaser/nfpm/releases/tag/v2.29.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"nfpm vulnerable to Incorrect Default Permissions\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-276\", \"lang\": \"en\", \"description\": \"CWE-276: Incorrect Default Permissions\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c\"}, {\"name\": \"https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30\"}, {\"name\": \"https://github.com/goreleaser/nfpm/releases/tag/v2.29.0\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/goreleaser/nfpm/releases/tag/v2.29.0\"}], \"affected\": [{\"vendor\": \"goreleaser\", \"product\": \"nfpm\", \"versions\": [{\"version\": \"\u003e= 2.0.0, \u003c 2.29.0\", \"status\": \"affected\"}, {\"version\": \"\u003e= 0.1.0, \u003c 2.29.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-05-30T03:56:30.807Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \\nthe files (without extra config for enforcing it\\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.\"}], \"source\": {\"advisory\": \"GHSA-w7jw-q4fg-qc4c\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:25:36.897Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c\"}, {\"name\": \"https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30\"}, {\"name\": \"https://github.com/goreleaser/nfpm/releases/tag/v2.29.0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/goreleaser/nfpm/releases/tag/v2.29.0\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32698\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-10T20:36:13.134834Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-10T20:36:18.865Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32698\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-05-11T16:33:45.734Z\", \"datePublished\": \"2023-05-30T03:56:30.807Z\", \"dateUpdated\": \"2025-01-10T20:36:22.810Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-W7JW-Q4FG-QC4C

Vulnerability from github – Published: 2023-05-24 17:30 – Updated: 2024-05-20 21:52

Summary

nfpm has incorrect default permissions

Details

Summary

When building packages directly from source control, file permissions on the checked-in files are not maintained.

Details

When building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).

PoC

Create a default nfpm structure.

Within the test folder, create 3 files named chmod-XXX.sh. Each script has file permissions set corresponding with their file names (chmod-777.sh = chmod 777). Below each file and permissions can be seen.

$ ls -lart test 
total 24
-rwxrwxrwx   1 user  group   11 May 19 13:15 chmod-777.sh
-rw-rw-rw-   1 user  group   11 May 19 13:16 chmod-666.sh
drwxr-xr-x   5 user  group  160 May 19 13:19 .
-rw-rw-r--   1 user  group   11 May 19 13:19 chmod-664.sh
drwxr-xr-x  10 user  group  320 May 19 13:29 ..

Below is the snippet nfpm configuration file of the contents of the package. The test folder and files has no extra config for enforcing permissions.

contents:
- src: foo-binary
  dst: /usr/bin/bar
- src: bar-config.conf
  dst: /etc/foo-binary/bar-config.conf
  type: config
- src: test
  dst: /etc/test/scripts

The next step is to create a deb package.

$ nfpm package -p deb # Create dep package
using deb packager...
created package: foo_1.0.0_arm64.deb

When on a Ubuntu VM, install the foo package which was created

$ sudo dpkg -i foo_1.0.0_arm64.deb # Installing deb package within Ubuntu
Selecting previously unselected package foo.
(Reading database ... 67540 files and directories currently installed.)
Preparing to unpack foo_1.0.0_arm64.deb ...
Unpacking foo (1.0.0) ...
Setting up foo (1.0.0) ...

Looking at /etc/test/scripts and viewing the permissions. Permissions are passed exactly the same as the source.

$ ls -lart /etc/test/scripts
total 20
-rwxrwxrwx 1 root root   11 May 22 12:15 chmod-777.sh
-rw-rw-rw- 1 root root   11 May 22 12:16 chmod-666.sh
-rw-rw-r-- 1 root root   11 May 22 12:19 chmod-664.sh
drwxr-xr-x 3 root root 4096 May 22 13:00 ..
drwxr-xr-x 2 root root 4096 May 22 13:00 .

Solution

To prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package

Impact

Vulnerability is https://cwe.mitre.org/data/definitions/276.html https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Anyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goreleaser/nfpm/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goreleaser/nfpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "last_affected": "1.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T17:30:16Z",
    "nvd_published_at": "2023-05-30T04:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. \n\n### Details\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).\n\n### PoC\nCreate a default nfpm structure. \n\nWithin the test folder, create 3 files named `chmod-XXX.sh`. Each script has file \npermissions set corresponding with their file names (`chmod-777.sh` = `chmod 777`). Below each \nfile and permissions can be seen.\n\n```console\n$ ls -lart test \ntotal 24\n-rwxrwxrwx   1 user  group   11 May 19 13:15 chmod-777.sh\n-rw-rw-rw-   1 user  group   11 May 19 13:16 chmod-666.sh\ndrwxr-xr-x   5 user  group  160 May 19 13:19 .\n-rw-rw-r--   1 user  group   11 May 19 13:19 chmod-664.sh\ndrwxr-xr-x  10 user  group  320 May 19 13:29 ..\n```\n\nBelow is the snippet nfpm configuration file of the contents of the package. The test folder \nand files has no extra config for enforcing permissions. \n\n```yaml\ncontents:\n- src: foo-binary\n  dst: /usr/bin/bar\n- src: bar-config.conf\n  dst: /etc/foo-binary/bar-config.conf\n  type: config\n- src: test\n  dst: /etc/test/scripts\n```\n\nThe next step is to create a deb package.\n\n```console\n$ nfpm package -p deb # Create dep package\nusing deb packager...\ncreated package: foo_1.0.0_arm64.deb\n```\n\nWhen on a Ubuntu VM, install the foo package which was created\n\n```console\n$ sudo dpkg -i foo_1.0.0_arm64.deb # Installing deb package within Ubuntu\nSelecting previously unselected package foo.\n(Reading database ... 67540 files and directories currently installed.)\nPreparing to unpack foo_1.0.0_arm64.deb ...\nUnpacking foo (1.0.0) ...\nSetting up foo (1.0.0) ...\n```\n\nLooking at `/etc/test/scripts` and viewing the permissions. Permissions are passed exactly the same as the source.\n\n```console\n$ ls -lart /etc/test/scripts\ntotal 20\n-rwxrwxrwx 1 root root   11 May 22 12:15 chmod-777.sh\n-rw-rw-rw- 1 root root   11 May 22 12:16 chmod-666.sh\n-rw-rw-r-- 1 root root   11 May 22 12:19 chmod-664.sh\ndrwxr-xr-x 3 root root 4096 May 22 13:00 ..\ndrwxr-xr-x 2 root root 4096 May 22 13:00 .\n```\n\n\n## Solution\nTo prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package\n\n\n### Impact\n\nVulnerability is https://cwe.mitre.org/data/definitions/276.html\nhttps://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\nAnyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.",
  "id": "GHSA-w7jw-q4fg-qc4c",
  "modified": "2024-05-20T21:52:23Z",
  "published": "2023-05-24T17:30:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32698"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goreleaser/nfpm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nfpm has incorrect default permissions"
}

FKIE_CVE-2023-32698

Vulnerability from fkie_nvd - Published: 2023-05-30 04:15 - Updated: 2024-11-21 08:03

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30	Patch
security-advisories@github.com	https://github.com/goreleaser/nfpm/releases/tag/v2.29.0	Release Notes
security-advisories@github.com	https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/goreleaser/nfpm/releases/tag/v2.29.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	goreleaser	nfpm	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:goreleaser:nfpm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "325B45DF-6615-4FC7-B712-4A80B0661905",
              "versionEndExcluding": "2.29.0",
              "versionStartIncluding": "0.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders."
    },
    {
      "lang": "es",
      "value": "nFPM es una alternativa a fpm. Los permisos de los archivos registrados no se manten\u00edan. Por lo tanto, cuando nfpm empaquetaba los archivos (sin configuraci\u00f3n adicional para hacer cumplir sus propios permisos) los archivos pod\u00edan salir con permisos incorrectos (chmod 666 o 777). Cualquiera que utilice nfpm para crear paquetes sin comprobar/configurar los permisos de los archivos antes de empaquetarlos podr\u00eda dar lugar a permisos incorrectos para los archivos/carpetas. "
    }
  ],
  "id": "CVE-2023-32698",
  "lastModified": "2024-11-21T08:03:52.560",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-30T04:15:10.187",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2023-32698

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-32698

Aliases

CVE-2023-32698

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32698",
    "id": "GSD-2023-32698"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32698"
      ],
      "details": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.",
      "id": "GSD-2023-32698",
      "modified": "2023-12-13T01:20:23.748627Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-32698",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "nfpm",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.0.0, \u003c 2.29.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.1.0, \u003c 2.29.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "goreleaser"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-276",
                "lang": "eng",
                "value": "CWE-276: Incorrect Default Permissions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
            "refsource": "MISC",
            "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
          },
          {
            "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
            "refsource": "MISC",
            "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
          },
          {
            "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
            "refsource": "MISC",
            "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-w7jw-q4fg-qc4c",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=v0.1.0 \u003cv2.29.0",
          "affected_versions": "All versions starting from 0.1.0 before 2.29.0",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-276",
            "CWE-937"
          ],
          "date": "2023-06-06",
          "description": "### Summary\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. \n\n### Details\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).\n\n### PoC\nCreate a default nfpm structure. \n\nWithin the test folder, create 3 files named `chmod-XXX.sh`. Each script has file \npermissions set corresponding with their file names (`chmod-777.sh` = `chmod 777`). Below each \nfile and permissions can be seen.\n\n```console\n$ ls -lart test \ntotal 24\n-rwxrwxrwx 1 user group 11 May 19 13:15 chmod-777.sh\n-rw-rw-rw- 1 user group 11 May 19 13:16 chmod-666.sh\ndrwxr-xr-x 5 user group 160 May 19 13:19 .\n-rw-rw-r-- 1 user group 11 May 19 13:19 chmod-664.sh\ndrwxr-xr-x 10 user group 320 May 19 13:29 ..\n```\n\nBelow is the snippet nfpm configuration file of the contents of the package. The test folder \nand files has no extra config for enforcing permissions. \n\n```yaml\ncontents:\n- src: foo-binary\n dst: /usr/bin/bar\n- src: bar-config.conf\n dst: /etc/foo-binary/bar-config.conf\n type: config\n- src: test\n dst: /etc/test/scripts\n```\n\nThe next step is to create a deb package.\n\n```console\n$ nfpm package -p deb # Create dep package\nusing deb packager...\ncreated package: foo_1.0.0_arm64.deb\n```\n\nWhen on a Ubuntu VM, install the foo package which was created\n\n```console\n$ sudo dpkg -i foo_1.0.0_arm64.deb # Installing deb package within Ubuntu\nSelecting previously unselected package foo.\n(Reading database ... 67540 files and directories currently installed.)\nPreparing to unpack foo_1.0.0_arm64.deb ...\nUnpacking foo (1.0.0) ...\nSetting up foo (1.0.0) ...\n```\n\nLooking at `/etc/test/scripts` and viewing the permissions. Permissions are passed exactly the same as the source.\n\n```console\n$ ls -lart /etc/test/scripts\ntotal 20\n-rwxrwxrwx 1 root root 11 May 22 12:15 chmod-777.sh\n-rw-rw-rw- 1 root root 11 May 22 12:16 chmod-666.sh\n-rw-rw-r-- 1 root root 11 May 22 12:19 chmod-664.sh\ndrwxr-xr-x 3 root root 4096 May 22 13:00 ..\ndrwxr-xr-x 2 root root 4096 May 22 13:00 .\n```\n\n\n## Solution\nTo prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package\n\n\n### Impact\n\nVulnerability is https://cwe.mitre.org/data/definitions/276.html\nhttps://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\nAnyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.",
          "fixed_versions": [
            "v2.29.0"
          ],
          "identifier": "CVE-2023-32698",
          "identifiers": [
            "CVE-2023-32698",
            "GHSA-w7jw-q4fg-qc4c"
          ],
          "not_impacted": "All versions before 0.1.0, all versions starting from 2.29.0",
          "package_slug": "go/github.com/goreleaser/nfpm",
          "pubdate": "2023-05-30",
          "solution": "Upgrade to version 2.29.0 or above.",
          "title": "nfpm has incorrect default permissions",
          "urls": [
            "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
            "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
            "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
            "https://github.com/advisories/GHSA-w7jw-q4fg-qc4c"
          ],
          "uuid": "501e3dbf-3591-440d-b8ef-4778afab8b26",
          "versions": [
            {
              "commit": {
                "sha": "37a2dbf86bc30fce37fdb68fef410f267a15ee37",
                "tags": [
                  "v0.1.0"
                ],
                "timestamp": "20180212211537"
              },
              "number": "v0.1.0"
            },
            {
              "commit": {
                "sha": "d614ec96365e18bec9449d8b0ae6e5d667ef0a2d",
                "tags": [
                  "v2.29.0"
                ],
                "timestamp": "20230524025709"
              },
              "number": "v2.29.0"
            }
          ]
        },
        {
          "affected_range": "\u003e=v2.0.0 \u003cv2.29.0",
          "affected_versions": "All versions starting from 2.0.0 before 2.29.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-06-06",
          "description": "### Summary\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. \n\n### Details\nWhen building packages directly from source control, file permissions on the checked-in files are not maintained. When nfpm packaged the files (without extra config for enforcing its own permissions) files could go out with bad permissions (chmod 666 or 777).\n\n### PoC\nCreate a default nfpm structure. \n\nWithin the test folder, create 3 files named `chmod-XXX.sh`. Each script has file \npermissions set corresponding with their file names (`chmod-777.sh` = `chmod 777`). Below each \nfile and permissions can be seen.\n\n```console\n$ ls -lart test \ntotal 24\n-rwxrwxrwx 1 user group 11 May 19 13:15 chmod-777.sh\n-rw-rw-rw- 1 user group 11 May 19 13:16 chmod-666.sh\ndrwxr-xr-x 5 user group 160 May 19 13:19 .\n-rw-rw-r-- 1 user group 11 May 19 13:19 chmod-664.sh\ndrwxr-xr-x 10 user group 320 May 19 13:29 ..\n```\n\nBelow is the snippet nfpm configuration file of the contents of the package. The test folder \nand files has no extra config for enforcing permissions. \n\n```yaml\ncontents:\n- src: foo-binary\n dst: /usr/bin/bar\n- src: bar-config.conf\n dst: /etc/foo-binary/bar-config.conf\n type: config\n- src: test\n dst: /etc/test/scripts\n```\n\nThe next step is to create a deb package.\n\n```console\n$ nfpm package -p deb # Create dep package\nusing deb packager...\ncreated package: foo_1.0.0_arm64.deb\n```\n\nWhen on a Ubuntu VM, install the foo package which was created\n\n```console\n$ sudo dpkg -i foo_1.0.0_arm64.deb # Installing deb package within Ubuntu\nSelecting previously unselected package foo.\n(Reading database ... 67540 files and directories currently installed.)\nPreparing to unpack foo_1.0.0_arm64.deb ...\nUnpacking foo (1.0.0) ...\nSetting up foo (1.0.0) ...\n```\n\nLooking at `/etc/test/scripts` and viewing the permissions. Permissions are passed exactly the same as the source.\n\n```console\n$ ls -lart /etc/test/scripts\ntotal 20\n-rwxrwxrwx 1 root root 11 May 22 12:15 chmod-777.sh\n-rw-rw-rw- 1 root root 11 May 22 12:16 chmod-666.sh\n-rw-rw-r-- 1 root root 11 May 22 12:19 chmod-664.sh\ndrwxr-xr-x 3 root root 4096 May 22 13:00 ..\ndrwxr-xr-x 2 root root 4096 May 22 13:00 .\n```\n\n\n## Solution\nTo prevent world-writable files from making it into the packages, add the ability to override the default permissions of packaged files using a umask config option in the packaging spec file. This feature in nfpm would allow applying a global umask across any files being packaged, therefore, with the correct configuration, preventing world-writable files without needing to list permissions on each and every file in the package\n\n\n### Impact\n\nVulnerability is https://cwe.mitre.org/data/definitions/276.html\nhttps://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\nAnyone using nfpm for creating packages and not checking/setting file permissions before packaging could result in bad permissions for files/folders.",
          "fixed_versions": [
            "v2.29.0"
          ],
          "identifier": "CVE-2023-32698",
          "identifiers": [
            "CVE-2023-32698",
            "GHSA-w7jw-q4fg-qc4c"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.29.0",
          "package_slug": "go/github.com/goreleaser/nfpm/v2",
          "pubdate": "2023-05-30",
          "solution": "Upgrade to version 2.29.0 or above.",
          "title": "nfpm has incorrect default permissions",
          "urls": [
            "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
            "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
            "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
            "https://github.com/advisories/GHSA-w7jw-q4fg-qc4c"
          ],
          "uuid": "80ef22c0-284d-4a15-bf6c-6409c4e13b4e",
          "versions": [
            {
              "commit": {
                "sha": "62357a65e28f92d5209e798221977fbeced698fe",
                "tags": [
                  "v2.0.0"
                ],
                "timestamp": "20201223132557"
              },
              "number": "v2.0.0"
            },
            {
              "commit": {
                "sha": "d614ec96365e18bec9449d8b0ae6e5d667ef0a2d",
                "tags": [
                  "v2.29.0"
                ],
                "timestamp": "20230524025709"
              },
              "number": "v2.29.0"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:goreleaser:nfpm:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.29.0",
                "versionStartIncluding": "0.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-32698"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged \nthe files (without extra config for enforcing it\u2019s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-276"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c"
            },
            {
              "name": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30"
            },
            {
              "name": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/goreleaser/nfpm/releases/tag/v2.29.0"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-06-06T19:29Z",
      "publishedDate": "2023-05-30T04:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-32698 (GCVE-0-2023-32698)

GHSA-W7JW-Q4FG-QC4C

Summary

Details

PoC

Solution

Impact

FKIE_CVE-2023-32698

GSD-2023-32698

Tags

Sightings

Nomenclature