blob: 1167ad2c3a2bbc74f82cb61765fc4e9894f34cd2 [file] [log] [blame]
id: GO-2023-1788
modules:
- module: github.com/goreleaser/nfpm/v2
versions:
- introduced: 2.0.0
- fixed: 2.29.0
vulnerable_at: 2.28.0
packages:
- package: github.com/goreleaser/nfpm/v2
symbols:
- ParseWithEnvMapping
- WithDefaults
derived_symbols:
- Config.Validate
- Info.Validate
- Parse
- ParseFile
- ParseFileWithEnvMapping
- PrepareForPackager
- Validate
- package: github.com/goreleaser/nfpm/v2/files
symbols:
- Content.WithFileInfoDefaults
- PrepareForPackager
- addGlobbedFiles
- addTree
summary: Incorrect permissions in github.com/goreleaser/nfpm/v2
description: |-
When nfpm packages files without additional configuration to enforce its own
permissions, the files could be packaged with incorrect permissions (chmod 666
or 777). Anyone who uses nfpm to create packages and does not check or set file
permissions before packaging could result in files or folders being packaged
with incorrect permissions.
cves:
- CVE-2023-32698
ghsas:
- GHSA-w7jw-q4fg-qc4c
credits:
- oCHRISo
- caarlos0
- djgilcrease
references:
- fix: https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30
- web: https://github.com/goreleaser/nfpm/releases/tag/v2.29.0
- advisory: https://github.com/advisories/GHSA-w7jw-q4fg-qc4c
review_status: REVIEWED