How severe is CVE-2024-51481?

This vulnerability has a severity rating of LOW with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-51481?

This is classified as CWE-693, which is a common weakness in software security.

CVE-2024-51481 - LOW Severity | CVSS N/A

Vulnerability Description

Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl.nix>`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. The Nix sandbox is not primarily intended as a security mechanism, but as an aid to improve reproducibility and purity of Nix builds. However, sandboxing *can* mitigate the impact of other security issues by limiting what parts of the host system a build has access to.

Related Vulnerabilities

CVE-2022-32845

CRITICAL

CVSS:10.0(Critical)

This issue was addressed with improved checks. This issue is fixed in watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. An app may be able to break out of its sandbox.

CWE-6932022

CVE-2022-35978

CRITICAL

CVSS:10.0(Critical)

Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu....

CWE-6932022

CVE-2019-1003030

CRITICAL

CVSS:9.9(Critical)

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to...

CWE-6932019

CVE-2019-10328

CRITICAL

CVSS:9.9(Critical)

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

CWE-6932019

CVE-2021-32835

CRITICAL

CVSS:9.9(Critical)

Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code exec...

CWE-6932021

CVE-2023-25765

CRITICAL

CVSS:9.9(Critical)

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to by...

CWE-6932023