VDB

CVE-2024-38531

CVE-2024-38531 PUBLISHED CVSS 3.5999999046325684 LOW

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.

EPSS 0.02% · 6.5th percentile

Risk Scores

CVSS 3.1
3.5999999046325684
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS Score
0.02%
6.5th percentile

Affected Products

VendorProductVersions
NixOSnix>= 2.22.0, < 2.22.2, >= 2.21.0, < 2.21.3, >= 2.20.0, < 2.20.7

Exploit Intelligence

Timeline

  • Jan 20, 1970 Fix PR Merged
  • Jan 21, 1970 Security Advisory
  • Jun 28, 2024 CVE Published
  • Jun 29, 2024 EPSS Score
  • Jul 21, 2024 EPSS Score
  • Aug 13, 2024 EPSS Score
  • Sep 4, 2024 EPSS Score
  • Sep 27, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 19, 2024 EPSS Score
  • Oct 31, 2024 Coalition ESS Score
  • Nov 1, 2024 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›