Nixpkgs Security Tracker

Permalink CVE-2023-32190

7.8 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable

mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary files world readable by abusing insecure file operations that run with root privileges.

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32190

Affected products

mlocate

<0.26-37.1

opensuse_tumbleweed

<0.26-37.1

Matching in nixpkgs

pkgs.mlocate

Merging locate is an utility to index and quickly search for files

nixos-unstable -
- nixpkgs-unstable 0.26

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.mlocate