N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wgrg-5h56-jg27

EPSS Score

CWE

Published

6/17/2022

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wgrg-5h56-jg27

GHSA-wgrg-5h56-jg27: Out-of-bounds write in nix::unistd::getgrouplist

On certain platforms, if a user has more than 16 groups, the nix::unistd::getgrouplist function will call the libc getgrouplist function with a length parameter greater than the size of the buffer it provides, resulting in an out-of-bounds write and memory corruption.

The libc getgrouplist function takes an in/out parameter ngroups specifying the size of the group buffer. When the buffer is too small to hold all of the reqested user's group memberships, some libc implementations, including glibc and Solaris libc, will modify ngroups to indicate the actual number of groups for the user, in addition to returning an error. The version of nix::unistd::getgrouplist in nix 0.16.0 and up will resize the buffer to twice its size, but will not read or modify the ngroups variable. Thus, if the user has more than twice as many groups as the initial buffer size of 8, the next call to getgrouplist will then write past the end of the buffer.

The issue would require editing /etc/groups to exploit, which is usually only editable by the root user.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wgrg-5h56-jg27

EPSS Score

CWE

Published

6/17/2022

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nix	rust	>= 0.16.0, < 0.20.2	0.20.2
nix	rust	>= 0.21.0, < 0.21.2	0.21.2
nix	rust	>= 0.22.0, < 0.22.2	0.22.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly occurs in nix's getgrouplist() implementation as described in CVE/GHSA details. The root cause is the mismatch between buffer capacity and ngroups value passed to libc after buffer resizing. The function's retry logic (doubling buffer without updating ngroups) directly matches the vulnerability description. Multiple independent sources (GitHub advisory, RustSec, and original issue) all point to this specific function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On **rt*in pl*t*orms, i* * us*r **s mor* t**n ** *roups, t** `nix::unist*::**t*rouplist` *un*tion will **ll t** li** `**t*rouplist` *un*tion wit* * l*n*t* p*r*m*t*r *r**t*r t**n t** siz* o* t** *u***r it provi**s, r*sultin* in *n out-o*-*oun*s writ*

Reasoning

T** vuln*r**ility *xpli*itly o**urs in nix's `**t*rouplist()` impl*m*nt*tion *s **s*ri*** in *V*/**S* **t*ils. T** root **us* is t** mism*t** **tw**n *u***r **p**ity *n* n*roups v*lu* p*ss** to `li**` **t*r *u***r r*sizin*. T** *un*tion's r*try lo*i*

N/A

Basic Information

Concerned about an active attack path?

GHSA-wgrg-5h56-jg27: Out-of-bounds write in nix::unistd::getgrouplist

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI