nvd-json-data-feeds/CVE-2024/CVE-2024-514xx/CVE-2024-51481.json

{
  "id": "CVE-2024-51481",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-10-31T17:15:13.723",
  "lastModified": "2024-11-01T12:57:03.417",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl.nix>`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. The Nix sandbox is not primarily intended as a security mechanism, but as an aid to improve reproducibility and purity of Nix builds. However, sandboxing *can* mitigate the impact of other security issues by limiting what parts of the host system a build has access to."
    },
    {
      "lang": "es",
      "value": "Nix es un administrador de paquetes para Linux y otros sistemas Unix. En macOS, los compiladores integrados (como `builtin:fetchurl`, expuesto a los usuarios con `import `) no se ejecutaban en el entorno aislado de macOS. Por lo tanto, estos compiladores (que se ejecutan bajo los usuarios `nixbld*`) ten\u00edan acceso de lectura a rutas legibles por todo el mundo y acceso de escritura a rutas escribibles por todo el mundo fuera del entorno aislado. Este problema se solucion\u00f3 en 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4 y 2.24.10. Tenga en cuenta que el entorno aislado no est\u00e1 habilitado de forma predeterminada en macOS. El entorno aislado de Nix no est\u00e1 pensado principalmente como un mecanismo de seguridad, sino como una ayuda para mejorar la reproducibilidad y la pureza de las compilaciones de Nix. Sin embargo, el sandbox *puede* mitigar el impacto de otros problemas de seguridad al limitar a qu\u00e9 partes del sistema host tiene acceso una compilaci\u00f3n."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 1.0,
          "baseSeverity": "LOW",
          "attackVector": "LOCAL",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "privilegesRequired": "LOW",
          "userInteraction": "PASSIVE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "subAvailabilityImpact": "NONE",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-693"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/NixOS/nix/commit/597fcc98e18e3178734d06a9e7306250e8cb8d74",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg",
      "source": "security-advisories@github.com"
    }
  ]
}