Lucene search

Alpine Linux Development TeamALPINE:CVE-2024-38531

HistoryJun 28, 2024 - 2:15 p.m.

CVE-2024-38531

2024-06-2814:15:03

Alpine Linux Development Team

security.alpinelinux.org

nix package manager

local users

hijack builds

daemon worker

permissions

unix

CVSS3

3.6

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

AI Score

Confidence

Low

JSON

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.

OSVersionArchitecturePackageVersionFilename
Alpine3.20-communitynoarchnix= 2.22.0-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	3.20-community	noarch	nix	= 2.22.0-r0	UNKNOWN

CVSS3

3.6

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

AI Score

Confidence

Low

JSON

Related for ALPINE:CVE-2024-38531