CVE-2024-27297

11.03.2024, 22:15

Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.3 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
GitHub_M	CNA	6.3 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Vendor	Product	Version
nixos	nix	𝑥 < 2.3.18
nixos	nix	2.4 ≤ 𝑥 < 2.18.2
nixos	nix	2.19.0 ≤ 𝑥 < 2.19.4
nixos	nix	2.20.0 ≤ 𝑥 < 2.20.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

guix

bullseye	1.2.0-4+deb11u2 no-dsa
bookworm	1.4.0-3+deb12u2 no-dsa
bullseye (security)	1.2.0-4+deb11u3 fixed
bookworm (security)	1.4.0-3+deb12u2 fixed
sid	1.4.0-9 fixed
trixie	1.4.0-9 fixed