CVE-2023-32698
HIGHGoreleaser Nfpm < 2.29.0 - Incorrect Default Permissions
Title source: ruleDescription
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
References (3)
Core 3
Core References
Exploit, Mitigation, Vendor Advisory x_refsource_confirm
https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c
Patch x_refsource_misc
https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30
Release Notes x_refsource_misc
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0
Scores
CVSS v3
7.1
EPSS
0.0022
EPSS Percentile
44.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-276
Status
published
Products (3)
goreleaser/nfpm
0.1.0Go
goreleaser/nfpm
0.1.0 - 2.29.0
goreleaser/nfpm
2.0.0 - 2.29.0Go
Published
May 30, 2023
Tracked Since
Feb 18, 2026