Nixpkgs Security Tracker

CVE-2024-3935

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse removed
2 packages
- pkgs.haskellPackages.mosquitto-hs 0.1.0.0
- pkgs.chickenPackages_5.chickenEggs.mosquitto 0.1.5
5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago

Eclipse Mosquito: Double free vulnerability

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

mosquitto

=<2.0.18

pkgs.mosquitto

Open source MQTT v3.1/3.1.1/5.0 broker

nixos-24.11 2.0.20

CVE-2024-3656

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse removed
3 packages
- pkgs.terraform-providers.keycloak 4.4.0
- pkgs.python311Packages.python-keycloak 4.0.0
- pkgs.python312Packages.python-keycloak 4.0.0
5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago

Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

keycloak

<24.0.5

org.keycloak-keycloak-parent

pkgs.keycloak

Identity and access management for modern applications and services

nixos-24.05 25.0.6
- nixos-24.05-small 25.0.6
nixos-24.11 26.0.6
- nixos-24.11-small 26.0.7
nixos-unstable 26.0.6
- nixos-unstable-small 26.0.7
- nixpkgs-unstable 26.0.6

CVE-2024-45689

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse removed
3 packages
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
- pkgs.texlivePackages.moodle 1.0
5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago

Moodle: unprotected access to sensitive information via dynamic tables

A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

moodle

<4.3.7

<4.4.3

<4.2.10

<4.1.13

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

CVE-2024-45690

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse removed
3 packages
- pkgs.texlivePackages.moodle 1.0
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago

Moodle: idor when deleting oauth2 linked accounts

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

moodle

<4.3.7

<4.4.3

<4.2.10

<4.1.13

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

CVE-2024-48897

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse removed
3 packages
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
- pkgs.texlivePackages.moodle 1.0
5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago

Moodle: idor in edit/delete rss feed

A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.

moodle

<4.1.0

<4.4.4

<4.3.8

<4.1.14

<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

CVE-2024-8443

2.9 LOW

CVSS version: 3.1
Attack vector (AV): PHYSICAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse removed
12 packages
- pkgs.openscad-unstable 2024-03-10
- pkgs.openscad-unstable 2024-11-10
- pkgs.openscad-unstable 2024-12-06
- pkgs.openscenegraph 3.6.5
- pkgs.openscad-lsp 1.2.5
- pkgs.openscap 1.3.10
- pkgs.openscad 2021.01
- pkgs.vscode-extensions.antyos.openscad 1.1.1
- pkgs.vscode-extensions.antyos.openscad 1.3.1
- pkgs.kakounePlugins.openscad-kak 2020-12-10
- pkgs.vimPlugins.openscad-nvim 2024-04-13
- pkgs.vimPlugins.vim-openscad 2022-07-26
5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago

Libopensc: heap buffer overflow in openpgp driver when generating key

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.

opensc

pkgs.opensc

Set of libraries and utilities to access smart cards

nixos-24.05 0.26.0
- nixos-24.05-small 0.26.0
nixos-24.11 0.26.0
- nixos-24.11-small 0.26.0
nixos-unstable 0.26.0
- nixos-unstable-small 0.26.0
- nixpkgs-unstable 0.26.0

CVE-2024-48896

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 5 months, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 5 months, 1 week ago
@LeSuisse accepted as draft 5 months, 1 week ago
@LeSuisse removed
3 packages
- pkgs.texlivePackages.moodle 1.0
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
5 months, 1 week ago

Moodle: users' names returned in messaging error message

A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.

moodle

<4.1.0

<4.4.4

<4.3.8

<4.1.14

<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

CVE-2024-48898

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 5 months, 1 week ago by @fricklerhandwerk Activity log

Created automatic suggestion 5 months, 1 week ago
@fricklerhandwerk removed
3 packages
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
- pkgs.texlivePackages.moodle 1.0
5 months, 1 week ago
@fricklerhandwerk accepted as draft 5 months, 1 week ago

Moodle: some users can delete audiences of other reports

A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.

moodle

<4.1.0

<4.4.4

<4.3.8

<4.1.14

<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

CVE-2024-48900

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 5 months, 1 week ago by @fricklerhandwerk Activity log

Created automatic suggestion 5 months, 1 week ago
@fricklerhandwerk removed
3 packages
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
- pkgs.texlivePackages.moodle 1.0
5 months, 1 week ago
@fricklerhandwerk accepted as draft 5 months, 1 week ago

Moodle: idor when accessing list of badge recipients

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

moodle

<4.4.4

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

CVE-2024-48901

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

updated 5 months, 1 week ago by @fricklerhandwerk Activity log

Created automatic suggestion 5 months, 1 week ago
@fricklerhandwerk removed
3 packages
- pkgs.moodle-dl 2.2.2.4
- pkgs.moodle-dl 2.3.12
- pkgs.texlivePackages.moodle 1.0
5 months, 1 week ago
@fricklerhandwerk accepted as draft 5 months, 1 week ago

Moodle: idor when fetching report schedules

A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.

moodle

<4.1.0

<4.4.4

<4.3.8

<4.1.14

<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

nixos-24.05 4.4
- nixos-24.05-small 4.4
nixos-24.11 4.4.3
- nixos-24.11-small 4.4.3
nixos-unstable 4.4.3
- nixos-unstable-small 4.4.4
- nixpkgs-unstable 4.4.3

Drafts

pkgs.mosquitto

pkgs.keycloak

pkgs.moodle

pkgs.moodle

pkgs.moodle

pkgs.opensc

pkgs.moodle

pkgs.moodle

pkgs.moodle

pkgs.moodle