Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for a revision.

Permalink CVE-2022-45836
updated 1 year ago by @Erethon Activity log
  • Created automatic suggestion 1 year ago
  • @Erethon accepted 1 year ago
  • @Erethon dismissed 1 year ago
  • @Erethon accepted 1 year ago
  • @Erethon dismissed 1 year ago
WordPress Download Manager Plugin <= 3.2.59 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions.

Affected products

download-manager
  • =<3.2.59

Matching in nixpkgs

pkgs.lomiri.lomiri-download-manager

Performs uploads and downloads from a centralized location

Package maintainers

Permalink CVE-2023-27456
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19.

Affected products

total
  • =<2.1.19

Matching in nixpkgs

pkgs.autotalent

Real-time pitch correction LADSPA plugin (no MIDI control)

pkgs.haskellPackages.total

Exhaustive pattern matching using lenses, traversals, and prisms

pkgs.haskellPackages.total-alternative

Alternative interface for total versions of partial function on the Prelude

pkgs.python311Packages.total-connect-client

Interact with Total Connect 2 alarm systems

pkgs.python312Packages.total-connect-client

Interact with Total Connect 2 alarm systems

pkgs.home-assistant-component-tests.totalconnect

Open source home automation that puts local control and privacy first

Package maintainers

Permalink CVE-2024-54245
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
WordPress Clients plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Clients allows Stored XSS.This issue affects Clients: from n/a through 1.1.4.

Affected products

clients
  • =<1.1.4

Matching in nixpkgs

pkgs.haskellPackages.clientsession

Securely store session data in a client-side cookie

pkgs.haskellPackages.wai-session-clientsession

Session store based on clientsession

Package maintainers

Permalink CVE-2024-45770
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
Pcp: pmpost symlink attack allows escalating pcp to root user

A vulnerability was found in Performance Co-Pilot (PCP). This flaw can only be exploited if an attacker has access to a compromised PCP system account. The issue is related to the pmpost tool, which is used to log messages in the system. Under certain conditions, it runs with high-level privileges.

Affected products

pcp
  • *

Matching in nixpkgs

pkgs.pcp

Command line peer-to-peer data transfer tool based on libp2p

pkgs.ncmpcpp

Featureful ncurses based MPD client inspired by ncmpc

pkgs.libamqpcpp

Library for communicating with a RabbitMQ server

pkgs.python311Packages.pcpp

C99 preprocessor written in pure Python

pkgs.python312Packages.pcpp

C99 preprocessor written in pure Python

Package maintainers

Permalink CVE-2024-45769
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
Pcp: pmcd heap corruption through metric pmstore operations

A vulnerability was found in Performance Co-Pilot (PCP).  This flaw allows an attacker to send specially crafted data to the system, which could cause the program to misbehave or crash.

Affected products

pcp
  • *

Matching in nixpkgs

pkgs.pcp

Command line peer-to-peer data transfer tool based on libp2p

pkgs.ncmpcpp

Featureful ncurses based MPD client inspired by ncmpc

pkgs.libamqpcpp

Library for communicating with a RabbitMQ server

pkgs.python311Packages.pcpp

C99 preprocessor written in pure Python

pkgs.python312Packages.pcpp

C99 preprocessor written in pure Python

Package maintainers

Permalink CVE-2024-7259
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
Ovirt-engine: potential exposure of cleartext provider passwords via web ui

A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.

Affected products

ovirt-engine
  • <4.5.7

Matching in nixpkgs

pkgs.rubyPackages.ovirt-engine-sdk

None

pkgs.rubyPackages_3_1.ovirt-engine-sdk

None

pkgs.rubyPackages_3_2.ovirt-engine-sdk

None

pkgs.rubyPackages_3_3.ovirt-engine-sdk

None

pkgs.rubyPackages_3_4.ovirt-engine-sdk

None

Permalink CVE-2024-5154
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @fricklerhandwerk accepted 1 year, 1 month ago
  • @fricklerhandwerk marked as untriaged 1 year, 1 month ago
  • @fricklerhandwerk accepted 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
Cri-o: malicious container can create symlink on host

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

Affected products

cri-o
  • <1.30.1
  • <1.28.7
  • *
  • <1.29.5
rhcos
  • *
conman
conmon
kernel
  • *
openshift
  • *
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers

Permalink CVE-2024-8418
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse accepted 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
Containers/aardvark-dns: tcp query handling flaw in aardvark-dns leading to denial of service

A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processing of TCP DNS queries. An attacker can exploit this flaw by keeping a TCP connection open indefinitely, causing the server to become unresponsive and resulting in other DNS queries timing out. This issue prevents legitimate users from accessing DNS services, thereby disrupting normal operations and causing service downtime.

Affected products

rhcos
aardvark-dns
  • *
containers-common
containers/aardvark-dns
  • ==1.12.1
  • ==1.12.0
container-tools:rhel8/aardvark-dns
container-tools:rhel8/containers-common

Matching in nixpkgs

pkgs.aardvark-dns

Authoritative dns server for A/AAAA container records

Package maintainers

Permalink CVE-2023-23456
updated 1 year, 1 month ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @LeSuisse dismissed 1 year, 1 month ago
Upx: heap-buffer-overflow in packtmt::pack()

A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

Affected products

upx
  • *

Matching in nixpkgs

pkgs.upx

Ultimate Packer for eXecutables

Permalink CVE-2024-9341
updated 1 year, 1 month ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 1 month ago
  • @fricklerhandwerk dismissed 1 year, 1 month ago
Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Affected products

cri-o
  • *
rhcos
  • *
podman
  • *
buildah
  • *
container-tools:rhel8
  • *
container-tools:rhel8/podman
github.com/containers/common
  • <0.60.4
container-tools:rhel8/buildah
openshift4/ose-docker-builder
openshift4/ose-docker-builder-rhel9

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.podman

Program for managing pods, containers and container images

pkgs.buildah

Tool which facilitates building OCI images

pkgs.podman-tui

Podman Terminal UI

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.podman-desktop

A graphical tool for developing on containers and Kubernetes

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.buildah-unwrapped

Tool which facilitates building OCI images

pkgs.nomad-driver-podman

Podman task driver for Nomad

pkgs.python311Packages.podman

Python bindings for Podman's RESTful API

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

Package maintainers