Nixpkgs security tracker
7.8 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON
Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.
References
-
https://github.com/microsoft/UFO/security/advisories/GHSA-wj72-7w8h-695f x_refsource_CONFIRM
Affected products
- ==<= 3.0.0
Matching in nixpkgs
pkgs.rufo
Ruby formatter
pkgs.tartufo
Tool to search through git repositories for high entropy strings and secrets
pkgs.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.gohufont
A monospace bitmap font well suited for programming and terminal use
pkgs.nerd-fonts.gohufont
Nerd Fonts: Bitmap font, tall capitals and ascenders, small serifs
pkgs.akkuPackages.ufo-try
try-except to handle potential exception
pkgs.akkuPackages.ufo-match
This package is a dependable match macro library for chez scheme.
pkgs.akkuPackages.ufo-timer
This repository is a timer implementation based on Chez Scheme's thread mechanism.
pkgs.akkuPackages.ufo-socket
I did not edit Akku.manifest
pkgs.python312Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python313Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
-
nixos-25.11 ufo2ft-3.6.2
- nixos-25.11-small ufo2ft-3.6.2
- nixpkgs-25.11-darwin ufo2ft-3.6.2
pkgs.python314Packages.ufo2ft
Bridge from UFOs to FontTools objects
-
nixos-unstable ufo2ft-3.7.0
- nixpkgs-unstable ufo2ft-3.7.0
- nixos-unstable-small ufo2ft-3.7.0
pkgs.python312Packages.ufolib2
Library to deal with UFO font sources
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python312Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python313Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
-
nixos-25.11 ufolib2-0.18.1
- nixos-25.11-small ufolib2-0.18.1
- nixpkgs-25.11-darwin ufolib2-0.18.1
pkgs.python313Packages.ufolint
Linter for Unified Font Object (UFO) source code
pkgs.python314Packages.ufolib2
Library to deal with UFO font sources
-
nixos-unstable ufolib2-0.18.1
- nixpkgs-unstable ufolib2-0.18.1
- nixos-unstable-small ufolib2-0.18.1
pkgs.python312Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.python313Packages.ufomerge
Command line utility and Python library that merges two UFO source format fonts into a single file
pkgs.akkuPackages.ufo-coroutines
This package is a dependable coroutine package for chez scheme.
pkgs.akkuPackages.ufo-thread-pool
This package is a dependable thread pool package for chez scheme.
pkgs.python312Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python313Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python314Packages.ufoprocessor
Read, write and generate UFOs with designspace data
pkgs.python312Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python313Packages.ufo-extractor
Tools for extracting data from font binaries into UFO objects
pkgs.python313Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.python314Packages.ufonormalizer
Script to normalize the XML and other data inside of a UFO
pkgs.akkuPackages.ufo-threaded-function
This package contains threaded-map, threaded-vector-map and such threaded functions for chez scheme.
pkgs.vscode-extensions.ufo5260987423.magic-scheme
Adds support for Scheme(r6rs standard)
-
nixos-unstable ufo5260987423-magic-scheme-0.0.6
- nixpkgs-unstable ufo5260987423-magic-scheme-0.0.6
- nixos-unstable-small ufo5260987423-magic-scheme-0.0.6
-
nixos-25.11 ufo5260987423-magic-scheme-0.0.6
- nixos-25.11-small ufo5260987423-magic-scheme-0.0.6
- nixpkgs-25.11-darwin ufo5260987423-magic-scheme-0.0.6
Package maintainers
-
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>
-
@rc-zb Xiao Haifan <rc-zb@outlook.com>
-
@doronbehar Doron Behar <me@doronbehar.com>
-
@GNUqb114514 qb114514 <GNUqb114514@outlook.com>
-
@danc86 Dan Callaghan <djc@djc.id.au>
-
@jopejoe1 jopejoe1 <nixpkgs@missing.ninja>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@andersk Anders Kaseorg <andersk@mit.edu>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>