Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Permalink CVE-2024-54245
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
WordPress Clients plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Clients allows Stored XSS.This issue affects Clients: from n/a through 1.1.4.

Affected products

clients
  • =<1.1.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-45770
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
Pcp: pmpost symlink attack allows escalating pcp to root user

A vulnerability was found in Performance Co-Pilot (PCP). This flaw can only be exploited if an attacker has access to a compromised PCP system account. The issue is related to the pmpost tool, which is used to log messages in the system. Under certain conditions, it runs with high-level privileges.

References

Affected products

pcp
  • *

Matching in nixpkgs

pkgs.pcp

Command line peer-to-peer data transfer tool based on libp2p

pkgs.ncmpcpp

Featureful ncurses based MPD client inspired by ncmpc

  • nixos-unstable 0.10
    • nixpkgs-unstable 0.10
    • nixos-unstable-small 0.10

pkgs.libamqpcpp

Library for communicating with a RabbitMQ server

Package maintainers

Permalink CVE-2024-45769
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
Pcp: pmcd heap corruption through metric pmstore operations

A vulnerability was found in Performance Co-Pilot (PCP).  This flaw allows an attacker to send specially crafted data to the system, which could cause the program to misbehave or crash.

References

Affected products

pcp
  • *

Matching in nixpkgs

pkgs.pcp

Command line peer-to-peer data transfer tool based on libp2p

pkgs.ncmpcpp

Featureful ncurses based MPD client inspired by ncmpc

  • nixos-unstable 0.10
    • nixpkgs-unstable 0.10
    • nixos-unstable-small 0.10

pkgs.libamqpcpp

Library for communicating with a RabbitMQ server

Package maintainers

Permalink CVE-2024-7259
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
Ovirt-engine: potential exposure of cleartext provider passwords via web ui

A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.

References

Affected products

ovirt-engine
  • <4.5.7

Matching in nixpkgs

Permalink CVE-2024-5154
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @fricklerhandwerk accepted 1 year, 4 months ago
  • @fricklerhandwerk marked as untriaged 1 year, 4 months ago
  • @fricklerhandwerk accepted 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
Cri-o: malicious container can create symlink on host

A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system.

References

Affected products

cri-o
  • <1.28.7
  • *
  • <1.29.5
  • <1.30.1
rhcos
  • *
conman
conmon
kernel
  • *
openshift
  • *
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers

Permalink CVE-2024-8418
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse accepted 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
Containers/aardvark-dns: tcp query handling flaw in aardvark-dns leading to denial of service

A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processing of TCP DNS queries. An attacker can exploit this flaw by keeping a TCP connection open indefinitely, causing the server to become unresponsive and resulting in other DNS queries timing out. This issue prevents legitimate users from accessing DNS services, thereby disrupting normal operations and causing service downtime.

References

Affected products

rhcos
aardvark-dns
  • *
containers-common
containers/aardvark-dns
  • ==1.12.1
  • ==1.12.0
container-tools:rhel8/aardvark-dns
container-tools:rhel8/containers-common

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-23456
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 1 year, 4 months ago by @LeSuisse Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @LeSuisse dismissed 1 year, 4 months ago
Upx: heap-buffer-overflow in packtmt::pack()

A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

References

Affected products

upx
  • *

Matching in nixpkgs

pkgs.upx

Ultimate Packer for eXecutables

Permalink CVE-2024-9341
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 year, 4 months ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 1 year, 4 months ago
  • @fricklerhandwerk dismissed 1 year, 4 months ago
Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

References

Affected products

cri-o
  • *
rhcos
  • *
podman
  • *
buildah
  • *
container-tools:rhel8
  • *
container-tools:rhel8/podman
github.com/containers/common
  • <0.60.4
container-tools:rhel8/buildah
openshift4/ose-docker-builder
openshift4/ose-docker-builder-rhel9

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

pkgs.podman

Program for managing pods, containers and container images

pkgs.buildah

Tool which facilitates building OCI images

pkgs.podman-compose

Implementation of docker-compose with podman backend

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

Package maintainers