CVE-2023-32698

Published: May 30, 2023

Modified: Jan 10, 2025

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

Vendor	Product	Versions
goreleaser	nfpm	affected `>= 2.0.0, < 2.29.0` affected `>= 0.1.0, < 2.29.0`

Weaknesses (CWE)

CWE-276

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c

x_refsource_CONFIRM

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30

x_refsource_MISC

https://github.com/goreleaser/nfpm/releases/tag/v2.29.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-32698

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References