CVE-2023-32698
Incorrect permissions in github.com/goreleaser/nfpm/v2
7.1
HIGH
CVSS 3.1
EPSS 0.13%
Description
When nfpm packages files without additional configuration to enforce its own permissions, the files could be packaged with incorrect permissions (chmod 666 or 777). Anyone who uses nfpm to create packages and does not check or set file permissions before packaging could result in files or folders being packaged with incorrect permissions.
How to fix CVE-2023-32698
To remediate CVE-2023-32698, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.29.0 or later
- —upgrade to 2.29.0 or later
Is CVE-2023-32698 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 0.1.0, <= 1.10.3
- >= 2.0.0, < 2.29.0
- >= 2.0.0, < 2.29.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |