CVE-2024-38531

Name
CVE-2024-38531
Description
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds. This issue was patched in version(s) 2.23.1, 2.22.2, 2.21.3, 2.20.7, 2.19.5 and 2.18.4.
NVD Severity
low
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/NixOS/nix/pull/10501
CONFIRM https://github.com/NixOS/nix/security/advisories/GHSA-q82p-44mg-mgh5

Match rules

CPE URI Source package Min version Max version
nix >= 2.23.0 < 2.23.1
nix >= 2.22.0 < 2.22.2
nix >= 2.21.0 < 2.21.3
nix >= 2.20.0 < 2.20.7
nix >= 2.19.0 < 2.19.5
nix >= 2.18.0 < 2.18.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nix 3.20-community 2.22.0-r0 Hoang Nguyen <folliekazetani@protonmail.com> possibly vulnerable