nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged
the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.
References
Link | Resource |
---|---|
https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30 | Patch |
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0 | Release Notes |
https://github.com/goreleaser/nfpm/security/advisories/GHSA-w7jw-q4fg-qc4c | Exploit Mitigation Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-05-30T03:56:30.807Z
Updated: 2023-05-30T03:56:30.807Z
Reserved: 2023-05-11T16:33:45.734Z
Link: CVE-2023-32698
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-05-30T04:15:10.187
Modified: 2023-06-06T19:29:45.097
Link: CVE-2023-32698
JSON object: View
Redhat Information
No data.
CWE