CVE-2023-32698 HIGH

CVE-2023-32698: nfpm vulnerable to Incorrect Default Permissions

Vendor Goreleaser
Product nfpm
Weakness CWE-276
Published May 30, 2023
Last update January 10, 2025

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for creating packages without checking/setting file permissions before packaging could result in bad permissions for files/folders.

Key dates

02Disclosure timeline

May 30, 2023 CVE published
January 10, 2025 Record updated