Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-47174

Опубликовано: 26 сент. 2024
Источник: nvd
CVSS3: 5.9
EPSS Низкий

Описание

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, <nix/fetchurl.nix> did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. <nix/fetchurl.nix> is also known as the builtin derivation builder builtin:fetchurl. It's not to be confused with the evaluation-time function builtins.fetchurl, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a netrc file for authentication, or rely on derivations with impureEnvVars set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experim

Ссылки

EPSS

Процентиль: 22%
0.00071
Низкий

5.9 Medium

CVSS3

Дефекты

CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2024-47174

CVSS3: 5.9
ubuntu
больше 1 года назад

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations exper...

debian логотип

CVE-2024-47174

CVSS3: 5.9
debian
больше 1 года назад

Nix is a package manager for Linux and other Unix systems. Starting in ...

EPSS

Процентиль: 22%
0.00071
Низкий

5.9 Medium

CVSS3

Дефекты

CWE-287