Vulnerability Report: GO-2023-1788

CVE-2023-32698, GHSA-w7jw-q4fg-qc4c
Affects: github.com/goreleaser/nfpm/v2
Published: Jun 01, 2023
Modified: May 20, 2024

When nfpm packages files without additional configuration to enforce its own permissions, the files could be packaged with incorrect permissions (chmod 666 or 777). Anyone who uses nfpm to create packages and does not check or set file permissions before packaging could result in files or folders being packaged with incorrect permissions.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-w7jw-q4fg-qc4c.

Affected Packages

Path

Go Versions

Symbols
github.com/goreleaser/nfpm/v2

from v2.0.0 before v2.29.0
9 affected symbols
github.com/goreleaser/nfpm/v2/files

from v2.0.0 before v2.29.0
- Content.WithFileInfoDefaults
- PrepareForPackager

Aliases

CVE-2023-32698
GHSA-w7jw-q4fg-qc4c

References

https://github.com/goreleaser/nfpm/commit/ed9abdf63d5012cc884f2a83b4ab2b42b3680d30
https://github.com/goreleaser/nfpm/releases/tag/v2.29.0
https://github.com/advisories/GHSA-w7jw-q4fg-qc4c
https://vuln.go.dev/ID/GO-2023-1788.json

Credits

oCHRISo, caarlos0, djgilcrease

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL