VDB
CVE-2023-32698
CVE-2023-32698
PUBLISHED
CVSS 7.099999904632568 HIGH
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
EPSS 0.06% · 18.7th percentile
Risk Scores
CVSS v3.1
7.099999904632568
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.06%
18.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | goreleaser/nfpm/v2 | 2.0.0, 2.0.0 |
| github.com | goreleaser/nfpm | 0.1.0, 0.1.0 |
| goreleaser | nfpm | >= 2.0.0, < 2.29.0, >= 0.1.0, < 2.29.0, 0.1.0 |
Timeline
- May 24, 2023 CVE Published
- May 30, 2023 EPSS Score
- May 30, 2023 PoC Published
- Jul 5, 2023 EPSS Score
- Aug 10, 2023 EPSS Score
- Sep 15, 2023 EPSS Score
- Oct 21, 2023 EPSS Score
- Nov 26, 2023 EPSS Score
- Jan 1, 2024 EPSS Score
- Feb 6, 2024 EPSS Score
- Mar 13, 2024 EPSS Score
- Apr 18, 2024 EPSS Score
References
- https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c url
- https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 url
- https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2023-32698 advisory
- https://github.com/goreleaser/nfpm package