CVE-2024-32657
low-risk
Published 2024-04-22
Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is serving NixOS `.iso` files. The issue is only with html files served by Hydra. The issue has been patched on https://hydra.nixos.org around 2024-04-21 14:30 UTC. The nixpkgs package were fixed in unstable and 23.11. Users with custom Hydra packages can apply the fix commit to their local installations. The vulnerability is only triggered when opening HTML build artifacts, so not opening them until the vulnerability is fixed works around the issue.
Do I need to act?
-
0.63% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.6/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Hydra
Affected Vendors
References (8)
Issue Tracking
https://github.com/NixOS/nixpkgs/pull/306017
Issue Tracking
https://github.com/NixOS/nixpkgs/pull/306018
Issue Tracking
https://github.com/NixOS/nixpkgs/pull/306017
Issue Tracking
https://github.com/NixOS/nixpkgs/pull/306018
26
/ 100
low-risk
Severity
19/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal