VDB
CVE-2024-27297
CVE-2024-27297
PUBLISHED
CVSS 6.300000190734863 MEDIUM
Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS 0.06% · 19.6th percentile
Risk Scores
CVSS v3.1
6.300000190734863
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score
0.06%
19.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| NixOS | nix | *, >= 2.3.0, < 2.3.18, >= 2.4.0, < 2.18.2 |
| nixos | nix | 0, 2.4, 2.19.0 |
Timeline
- Jan 21, 1970 Security Advisory
- Mar 11, 2024 CVE Published
- Mar 12, 2024 EPSS Score
- Apr 7, 2024 EPSS Score
- May 3, 2024 EPSS Score
- Jun 25, 2024 EPSS Score
- Jul 21, 2024 EPSS Score
- Aug 16, 2024 EPSS Score
- Sep 11, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 8, 2024 EPSS Score
- Nov 29, 2024 EPSS Score