Vulnerability Description
Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request.
CVSS Score
MEDIUM
References
- https://discourse.nixos.org/t/nixpkgs-supply-chain-security-project/34345
- https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix
- https://github.com/NixOS/nix/issues/969
- https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
- https://discourse.nixos.org/t/nixpkgs-supply-chain-security-project/34345
- https://github.com/NixOS/nix/issues/969
- https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
FAQ
What is CVE-2024-36050?
CVE-2024-36050 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into acceptin...
How severe is CVE-2024-36050?
CVE-2024-36050 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-36050?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.