Vulnerability Details : CVE-2023-32698
Potential exploit
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged
the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
Products affected by CVE-2023-32698
- cpe:2.3:a:goreleaser:nfpm:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-32698
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-32698
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.8
|
5.2
|
NIST | |
|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2023-32698
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2023-32698
-
https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30
sec: fix for CVE-2023-32698 · goreleaser/nfpm@ed9abdf · GitHubPatch
-
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0
Release v2.29.0 · goreleaser/nfpm · GitHubRelease Notes
-
https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c
Depending on usage of nfpm could produce CWE-276: Incorrect Default Permissions · Advisory · goreleaser/nfpm · GitHubExploit;Mitigation;Vendor Advisory
Jump to