Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Accepted suggestions

to create a Nixpkgs security record and open a GitHub issue for tracking resolution. This action will notify maintainers and package subscribers, and cannot be revoked.

to mark as irrelevant.

View:
Compact
Detailed
Permalink CVE-2024-12084
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 weeks, 5 days ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @LeSuisse accepted 1 year, 2 months ago
  • @fricklerhandwerk added maintainer @fricklerhandwerk 3 weeks, 5 days ago maintainer.add
  • @fricklerhandwerk deleted
    2 maintainers
    • @fricklerhandwerk
    • @ehmry
    3 weeks, 5 days ago maintainer.delete
  • @fricklerhandwerk ignored package rsync 3 weeks, 5 days ago
  • @fricklerhandwerk restored package rsync 3 weeks, 5 days ago
  • @fricklerhandwerk added maintainer @fricklerhandwerk 3 weeks, 5 days ago maintainer.add
Rsync: heap buffer overflow in rsync due to improper checksum length handling

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

References

Affected products

rhcos
rsync
  • ==3.2.7
  • *
  • ==3.3.0

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

Package maintainers

Ignored maintainers (1)

Additional maintainers

Permalink CVE-2025-23884
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 2 months ago by @Erethon Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @Erethon dismissed 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

Affected products

annie
  • =<2.1.1

Matching in nixpkgs

pkgs.wannier90

Calculation of maximally localised Wannier functions

Package maintainers

Permalink CVE-2025-23760
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 2 months ago by @Erethon Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
  • @Erethon dismissed 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
WordPress Chatter plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Volkov Chatter allows Stored XSS. This issue affects Chatter: from n/a through 1.0.1.

Affected products

chatter
  • =<1.0.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2025-0502
updated 1 year, 2 months ago by @Erethon Activity log
  • Created automatic suggestion 1 year, 2 months ago
  • @Erethon accepted 1 year, 2 months ago
Transmission of Private Resources into a New Sphere in Crafter Engine

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Affected products

Engine
  • <4.0.8
  • <4.1.6

Matching in nixpkgs

Permalink CVE-2024-9979
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Pyo3: risk of use-after-free in `borrowed` reads from python weak references

A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.

Affected products

pyo3
  • <0.22.4
python3.11-nh3
python3.11-rpds-py
python3.11-cryptography
python3.12-cryptography

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-6717
6.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Keycloak: xss via assertion consumer service url in saml post-binding flow

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

References

Affected products

keycloak
  • <22.0.10
  • <24.0.3
mta/mta-ui-rhel8
mta/mta-ui-rhel9
rh-sso7-keycloak
RHPAM 7.13.5 async
rhdh-hub-container
rhbk/keycloak-rhel9
  • *
rhdh/rhdh-hub-rhel9
org.keycloak/keycloak-core
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
Red Hat build of Keycloak 22.0.10
openshift-gitops-1/gitops-rhel8-operator
openshift-serverless-1/logic-rhel8-operator
  • *
openshift-serverless-1/logic-operator-bundle
  • *
openshift-serverless-1/logic-swf-builder-rhel8
  • *
openshift-serverless-1/logic-swf-devmode-rhel8
  • *
openshift-serverless-1-logic-rhel8-operator-container
  • *
openshift-serverless-1/logic-data-index-ephemeral-rhel8
  • *
openshift-serverless-1-logic-swf-builder-rhel8-container
  • *
openshift-serverless-1-logic-swf-devmode-rhel8-container
  • *
openshift-serverless-1/logic-data-index-postgresql-rhel8
  • *
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
  • *
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
  • *
openshift-serverless-1-logic-rhel8-operator-bundle-container
  • *
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
  • *
openshift-serverless-1-logic-data-index-ephemeral-rhel8-container
  • *
openshift-serverless-1-logic-data-index-postgresql-rhel8-container
  • *
openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container
  • *
openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container
  • *
openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2023-6291
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Keycloak: redirect_uri validation bypass

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

References

Affected products

keycloak
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
org.keycloak/keycloak-core
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
Red Hat build of Keycloak 22.0.7
rh-sso-7/sso7-rhel8-operator-bundle
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-8698
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

References

Affected products

keycloak
  • <25.0.5
eap8-hppc
  • *
eap8-log4j
  • *
eap8-slf4j
  • *
eap8-jctools
  • *
eap8-jgroups
  • *
eap8-wildfly
  • *
eap8-narayana
  • *
eap8-asyncutil
  • *
eap8-hibernate
  • *
eap8-saaj-impl
  • *
eap8-snakeyaml
  • *
eap8-apache-cxf
  • *
eap8-cryptacular
  • *
eap8-fastinfoset
  • *
rh-sso7-keycloak
  • *
eap8-aws-java-sdk
  • *
eap8-pem-keystore
  • *
eap8-aesh-readline
  • *
eap8-jboss-logging
  • *
eap8-objectweb-asm
  • *
eap8-artemis-native
  • *
rhbk/keycloak-rhel9
  • *
eap8-aesh-extensions
  • *
eap8-nimbus-jose-jwt
  • *
eap8-resteasy-spring
  • *
eap8-activemq-artemis
  • *
eap8-apache-commons-io
  • *
eap8-jboss-cert-helper
  • *
eap8-apache-commons-lang
  • *
eap8-hibernate-validator
  • *
eap8-resteasy-extensions
  • *
Red Hat Build of Keycloak
eap8-apache-commons-codec
  • *
eap8-insights-java-client
  • *
keycloak-saml-core-public
eap8-activemq-artemis-native
  • *
eap8-eap-product-conf-parent
  • *
eap8-shibboleth-java-support
  • *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
eap8-apache-commons-collections
  • *
org.keycloak/keycloak-saml-core
eap8-artemis-wildfly-integration
  • *
eap8-jakarta-servlet-jsp-jstl-api
  • *
org.keycloak/keycloak-saml-core-public

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-1249
7.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

References

Affected products

keycloak
  • <22.0.10
  • <24.0.3
eap7-netty
  • *
RHSSO 7.6.8
eap7-wildfly
  • *
eap7-undertow
  • *
keycloak-core
eap7-hibernate
  • *
mta/mta-ui-rhel8
mta/mta-ui-rhel9
rh-sso7-keycloak
  • *
eap7-glassfish-el
  • *
eap7-jackson-core
  • *
rhdh-hub-container
rhbk/keycloak-rhel9
  • *
rhdh/rhdh-hub-rhel9
eap7-wildfly-elytron
  • *
eap7-wildfly-openssl
  • *
eap7-jackson-databind
  • *
eap7-jboss-ejb-client
  • *
keycloak-adapter-eap6
eap7-jackson-annotations
  • *
eap7-wildfly-http-client
  • *
eap7-jackson-modules-base
  • *
eap7-jackson-modules-java8
  • *
eap7-wildfly-naming-client
  • *
eap7-wildfly-openssl-linux
  • *
org.keycloak.protocol.oidc
eap7-jboss-server-migration
  • *
eap7-jackson-jaxrs-providers
  • *
keycloak-adapter-sso7_2-eap6
keycloak-adapter-sso7_3-eap6
keycloak-adapter-sso7_4-eap6
keycloak-adapter-sso7_5-eap6
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
Red Hat build of Keycloak 22.0.10
openshift-serverless-1/logic-rhel8-operator
  • *
openshift-serverless-1/logic-operator-bundle
  • *
openshift-serverless-1/logic-swf-builder-rhel8
  • *
openshift-serverless-1/logic-swf-devmode-rhel8
  • *
openshift-serverless-1-logic-rhel8-operator-container
  • *
openshift-serverless-1/logic-data-index-ephemeral-rhel8
  • *
openshift-serverless-1-logic-swf-builder-rhel8-container
  • *
openshift-serverless-1-logic-swf-devmode-rhel8-container
  • *
openshift-serverless-1/logic-data-index-postgresql-rhel8
  • *
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
  • *
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
  • *
openshift-serverless-1-logic-rhel8-operator-bundle-container
  • *
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
  • *
openshift-serverless-1-logic-data-index-ephemeral-rhel8-container
  • *
openshift-serverless-1-logic-data-index-postgresql-rhel8-container
  • *
openshift-serverless-1-logic-jobs-service-ephemeral-rhel8-container
  • *
openshift-serverless-1-logic-jobs-service-postgresql-rhel8-container
  • *
openshift-serverless-1-logic-kn-workflow-cli-artifacts-rhel8-container
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

Package maintainers

Permalink CVE-2024-45691
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
Moodle: lesson activity password bypass through php loose comparison

A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.

References

Affected products

moodle
  • <4.3.7
  • <4.1.13
  • <4.2.10
  • <4.4.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

Package maintainers