3 results (0.006 seconds)

CVSS: 1.0EPSS: 0%CPEs: 7EXPL: 0

Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl.nix>`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. • https://github.com/NixOS/nix/commit/597fcc98e18e3178734d06a9e7306250e8cb8d74 https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg • CWE-693: Protection Mechanism Failure •

CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. • https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90 https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038 https://github.com/NixOS/nix/pull/11585 https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c • CWE-287: Improper Authentication •

CVSS: 3.6EPSS: 0%CPEs: 6EXPL: 0

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4. Nix es un administrador de paquetes para Linux y otros sistemas Unix que hace que la administración de paquetes sea confiable y reproducible. • https://github.com/NixOS/nix/pull/10501 https://github.com/NixOS/nix/security/advisories/GHSA-q82p-44mg-mgh5 • CWE-278: Insecure Preserved Inherited Permissions •