CVE-2024-47174

Summary

CVE-2024-47174 is a vulnerability affecting Nix, a Linux and Unix package manager, from versions 1.11 to 2.18.8 and 2.24.8. During this period, `<nix/fetchurl.nix>`, also known as the builtin derivation builder `builtin:fetchurl`, did not verify TLS certificates on HTTPS connections. This exposed connection details and even credentials in case of man-in-the-middle (MITM) attacks for users with `netrc` files or impure derivations using environment variables. Additionally, TOFU (trust-on-first-use) technique for dependency updates was vulnerable to MITM attacks, injecting arbitrary store objects. Nixpkgs fetchers using fixed-output derivations were also impacted when not employing the fake hash method. Introduced in version 1.11 for consistency and sandboxing reasons, the issue was fixed in versions 2.18.8 and 2.24.8. As a workaround, users should employ authenticated fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as required.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.