Nixpkgs security tracker
Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch
Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs. Version 1.2.2 fixes the issue.
References
-
https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j x_refsource_CONFIRM
-
https://github.com/makeplane/plane/releases/tag/v1.2.2 x_refsource_MISC
Affected products
- ==< 1.2.2
Matching in nixpkgs
pkgs.xplanet
Renders an image of the earth or other planets into the X root window
pkgs.freeplane
Mind-mapping software
pkgs.m2-planet
PLAtform NEutral Transpiler
pkgs.crossplane
NGINX configuration file parser and builder
pkgs.microplane
CLI tool to make git changes across many repos
pkgs.paper-plane
Chat over Telegram on a modern and elegant client
-
nixos-unstable 0.1.0-beta.5
- nixpkgs-unstable 0.1.0-beta.5
- nixos-unstable-small 0.1.0-beta.5
-
nixos-25.11 0.1.0-beta.5
- nixos-25.11-small 0.1.0-beta.5
- nixpkgs-25.11-darwin 0.1.0-beta.5
pkgs.invoiceplane
Self-hosted open source application for managing your invoices, clients and payments
pkgs.m2-mesoplanet
Macro Expander Saving Our m2-PLANET
pkgs.crossplane-cli
Utility to make using Crossplane easier
pkgs.biplanes-revival
Old cellphone arcade recreated for PC
pkgs.planetary_annihilation
Next-generation RTS that takes the genre to a planetary scale
pkgs.perlPackages.MathPlanePath
Points on a path through the 2-D plane
pkgs.perl5Packages.MathPlanePath
Points on a path through the 2-D plane
pkgs.dprint-plugins.g-plane-malva
CSS, SCSS, Sass and Less formatter.
pkgs.python312Packages.crossplane
NGINX configuration file parser and builder
pkgs.python313Packages.crossplane
NGINX configuration file parser and builder
pkgs.python314Packages.crossplane
NGINX configuration file parser and builder
pkgs.perl538Packages.MathPlanePath
Points on a path through the 2-D plane
pkgs.perl540Packages.MathPlanePath
Points on a path through the 2-D plane
pkgs.dprint-plugins.g-plane-markup_fmt
HTML, Vue, Svelte, Astro, Angular, Jinja, Twig, Nunjucks, and Vento formatter.
pkgs.dprint-plugins.g-plane-pretty_yaml
YAML formatter.
pkgs.gnomeExtensions.sane-airplane-mode
Make airplane mode sane again! This extension gives you better control over the airplane mode and lets you turn off the annoying "Bluetooth gets turned on when I disable airplane mode" behaviour.
pkgs.python313Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.python314Packages.envoy-data-plane
Python dataclasses for the Envoy Data-Plane-API
pkgs.python312Packages.planetary-computer
Planetary Computer SDK for Python
-
nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0
pkgs.python313Packages.planetary-computer
Planetary Computer SDK for Python
-
nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
-
nixos-25.11 1.0.0.post0
- nixos-25.11-small 1.0.0.post0
- nixpkgs-25.11-darwin 1.0.0.post0
pkgs.python314Packages.planetary-computer
Planetary Computer SDK for Python
-
nixos-unstable 1.0.0.post0
- nixpkgs-unstable 1.0.0.post0
- nixos-unstable-small 1.0.0.post0
pkgs.dprint-plugins.g-plane-pretty_graphql
GraphQL formatter.
pkgs.haskellPackages.amazonka-iot-dataplane
Amazon IoT Data Plane SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.haskellPackages.amazonka-iot-jobs-dataplane
Amazon IoT Jobs Data Plane SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
pkgs.vscode-extensions.gplane.wasm-language-tools
Language support of WebAssembly
pkgs.haskellPackages.amazonka-mediastore-dataplane
Amazon Elemental MediaStore Data Plane SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
-
nixos-25.11 2.0-unstable-2025-04-16
- nixos-25.11-small 2.0-unstable-2025-04-16
- nixpkgs-25.11-darwin 2.0-unstable-2025-04-16
Package maintainers
-
@KAction Dmitry Bogatov <KAction@disroot.org>
-
@selfuryon Sergei Iakovlev <siakovlev@pm.me>
-
@phanirithvij Phani Rithvij <phanirithvij2000@gmail.com>
-
@charles-dyfis-net Charles Duffy <charles@dyfis.net>
-
@honnip Jung seungwoo <me@honnip.page>
-
@onny Jonas Heinrich <onny@project-insanity.org>
-
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
-
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
-
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
-
@emilytrau Emily Trau <emily+nix@downunderctf.com>
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>
-
@Artturin Artturi N <artturin@artturin.com>
-
@dbirks David Birks <david@birks.dev>
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@domenkozar Domen Kozar <domen@dev.si>
-
@daspk04 Pratyush Das <dpratyush.k@gmail.com>
-
@Lassulus Lassulus <lassulus@gmail.com>
-
@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@samestep Sam Estep <sam@samestep.com>