CVE-2024-52867

low-risk
Published 2024-11-17

guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
LOCAL / HIGH complexity

References (4)

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=558224140dab669cabdaebabff...
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5ab3c4c1e43ebb637551223791...
https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/
https://lists.debian.org/debian-lts-announce/2024/11/msg00016.html
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal