Vulnerability Description
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Goreleaser | Nfpm | >= 0.1.0, < 2.29.0 |
Related Weaknesses (CWE)
References
- https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680dPatch
- https://github.com/goreleaser/nfpm/releases/tag/v2.29.0Release Notes
- https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4cExploitMitigationVendor Advisory
- https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680dPatch
- https://github.com/goreleaser/nfpm/releases/tag/v2.29.0Release Notes
- https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4cExploitMitigationVendor Advisory
FAQ
What is CVE-2023-32698?
CVE-2023-32698 is a vulnerability with a CVSS score of 7.1 (HIGH). nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files co...
How severe is CVE-2023-32698?
CVE-2023-32698 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-32698?
Check the references section above for vendor advisories and patch information. Affected products include: Goreleaser Nfpm.