nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged
the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
References
Link | Resource |
---|---|
https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 | Patch |
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 | Release Notes |
https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c | Exploit Mitigation Vendor Advisory |
https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 | Patch |
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 | Release Notes |
https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c | Exploit Mitigation Vendor Advisory |
Configurations
History
21 Nov 2024, 08:03
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 - Patch | |
References | () https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 - Release Notes | |
References | () https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c - Exploit, Mitigation, Vendor Advisory |
06 Jun 2023, 19:29
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 - Patch | |
References | (MISC) https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c - Exploit, Mitigation, Vendor Advisory | |
References | (MISC) https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 - Release Notes | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.1 |
CPE | cpe:2.3:a:goreleaser:nfpm:*:*:*:*:*:*:*:* | |
CWE | CWE-276 |
30 May 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-30 04:15
Updated : 2024-11-21 08:03
NVD link : CVE-2023-32698
Mitre link : CVE-2023-32698
CVE.ORG link : CVE-2023-32698
JSON object : View
Products Affected
goreleaser
- nfpm
CWE
CWE-276
Incorrect Default Permissions