Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2024-25978
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Msa-24-0001: denial of service risk in file picker unzip functionality

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

Affected products

moodle
  • <4.1.9
  • <4.2.6
  • <4.3.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

Package maintainers: 2

CVE-2024-25981
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Msa-24-0004: forum export did not respect activity group settings

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

Affected products

moodle
  • <4.1.9
  • <4.2.6
  • <4.3.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

Package maintainers: 2

CVE-2024-25980
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Msa-24-0003: h5p attempts report did not respect activity group settings

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

Affected products

moodle
  • <4.1.9
  • <4.2.6
  • <4.3.3

Matching in nixpkgs

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP

pkgs.moodle-dl

Moodle downloader that downloads course content fast from Moodle

Package maintainers: 2

CVE-2024-24762
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
FastAPI vulnerable to content-type header Regular expression Denial of Service (ReDoS)

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0.

Affected products

fastapi
  • <0.109.1
startlette
  • <0.36.2
python-multipart
  • <0.0.7

Matching in nixpkgs

pkgs.fastapi-cli

Run and manage FastAPI apps from the command line with FastAPI CLI

pkgs.python312Packages.fastapi

Web framework for building APIs

pkgs.python313Packages.fastapi

Web framework for building APIs

pkgs.python312Packages.fastapi-cli

Run and manage FastAPI apps from the command line with FastAPI CLI

pkgs.python312Packages.fastapi-mcp

Expose your FastAPI endpoints as Model Context Protocol (MCP) tools, with Auth

pkgs.python312Packages.fastapi-sso

FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account

pkgs.python313Packages.fastapi-cli

Run and manage FastAPI apps from the command line with FastAPI CLI

pkgs.python313Packages.fastapi-mcp

Expose your FastAPI endpoints as Model Context Protocol (MCP) tools, with Auth

pkgs.python313Packages.fastapi-sso

FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account

pkgs.python312Packages.fastapi-mail

Module for sending emails and attachments

pkgs.python313Packages.fastapi-mail

Module for sending emails and attachments

pkgs.python312Packages.scalar-fastapi

Plugin for FastAPI to render a reference for your OpenAPI document

pkgs.python313Packages.scalar-fastapi

Plugin for FastAPI to render a reference for your OpenAPI document

pkgs.python312Packages.python-multipart

Streaming multipart parser for Python

pkgs.python313Packages.python-multipart

Streaming multipart parser for Python

pkgs.python312Packages.fastapi-github-oidc

FastAPI compatible middleware to authenticate Github OIDC Tokens

pkgs.python313Packages.fastapi-github-oidc

FastAPI compatible middleware to authenticate Github OIDC Tokens

pkgs.python312Packages.prometheus-fastapi-instrumentator

Instrument FastAPI with Prometheus metrics

pkgs.python313Packages.prometheus-fastapi-instrumentator

Instrument FastAPI with Prometheus metrics

pkgs.python312Packages.opentelemetry-instrumentation-fastapi

OpenTelemetry Instrumentation for fastapi

pkgs.python313Packages.opentelemetry-instrumentation-fastapi

OpenTelemetry Instrumentation for fastapi

CVE-2024-1342
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Openshift: existing cross-site request forgery protection insufficient for websocket creation

A flaw was found in OpenShift. The existing Cross-Site Request Forgery (CSRF) protections in place do not properly protect GET requests, allowing for the creation of WebSockets via CSRF.

Affected products

openshift

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

pkgs.python312Packages.openshift

Python client for the OpenShift API

pkgs.python313Packages.openshift

Python client for the OpenShift API

pkgs.python312Packages.azure-mgmt-redhatopenshift

Microsoft Azure Red Hat Openshift Management Client Library for Python

pkgs.python313Packages.azure-mgmt-redhatopenshift

Microsoft Azure Red Hat Openshift Management Client Library for Python

Package maintainers: 4

CVE-2024-1488
8.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Unbound: unrestricted reconfiguration enabled to anyone that may lead to local privilege escalation

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.

Affected products

unbound
  • ==1.16.2
  • *

Matching in nixpkgs

pkgs.unbound

Validating, recursive, and caching DNS resolver

pkgs.unbound-full

Validating, recursive, and caching DNS resolver

pkgs.unbound-with-systemd

Validating, recursive, and caching DNS resolver

pkgs.luaPackages.luaunbound

A binding to libunbound

pkgs.lua51Packages.luaunbound

A binding to libunbound

pkgs.lua52Packages.luaunbound

A binding to libunbound

pkgs.lua53Packages.luaunbound

A binding to libunbound

pkgs.lua54Packages.luaunbound

A binding to libunbound

pkgs.luajitPackages.luaunbound

A binding to libunbound

pkgs.prometheus-unbound-exporter

Prometheus exporter for Unbound DNS resolver

pkgs.python312Packages.pyunbound

Python library for Unbound, the validating, recursive, and caching DNS resolver

pkgs.python313Packages.pyunbound

Python library for Unbound, the validating, recursive, and caching DNS resolver

pkgs.haskellPackages.unbound-generics

Support for programming with names and binders using GHC Generics

pkgs.haskellPackages.unbounded-delays

Unbounded thread delays and timeouts

pkgs.haskellPackages.unbound-kind-generics

Support for programming with names and binders using kind-generics

Package maintainers: 3

CVE-2023-48733
6.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
An insecure default to allow UEFI Shell in EDK2 was …

An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.

Affected products

edk2
  • <2023.05-2ubuntu0.1

Matching in nixpkgs

pkgs.edk2

Intel EFI development kit

pkgs.edk2-uefi-shell

UEFI Shell from Tianocore EFI development kit

Package maintainers: 3

CVE-2023-49721
6.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
An insecure default to allow UEFI Shell in EDK2 was …

An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.

Affected products

lxd
  • ==0

Matching in nixpkgs

pkgs.lxd-image-server

Creates and manages a simplestreams lxd image server on top of nginx

pkgs.python312Packages.pylxd

Library for interacting with the LXD REST API

pkgs.python313Packages.pylxd

Library for interacting with the LXD REST API

pkgs.terraform-providers.lxd

Package maintainers: 1

CVE-2023-20587
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 months ago
Improper Access Control in System Management Mode (SMM) may allow …

Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

Affected products

PI
  • ==various
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

pkgs.perlPackages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl538Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl540Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perlPackages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perlPackages.PDFAPI2

Create, modify, and examine PDF files

pkgs.haskellPackages.hsPID

PID control loop

pkgs.spirv-llvm-translator

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.perl538Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perl540Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perlPackages.PPIxUtils

Utility functions for PPI

pkgs.perl538Packages.PDFAPI2

Create, modify, and examine PDF files

pkgs.perl540Packages.PDFAPI2

Create, modify, and examine PDF files

pkgs.perlPackages.PPIxRegexp

Parse regular expressions

pkgs.perlPackages.ProcPIDFile

Manage process id files

pkgs.haskellPackages.EdisonAPI

A library of efficient, purely-functional data structures (API)

pkgs.perl538Packages.PPIxUtils

Utility functions for PPI

pkgs.perl540Packages.PPIxUtils

Utility functions for PPI

pkgs.perlPackages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.PPIxRegexp

Parse regular expressions

pkgs.perl540Packages.PPIxRegexp

Parse regular expressions

pkgs.perlPackages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perlPackages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perlPackages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perl538Packages.ProcPIDFile

Manage process id files

pkgs.perl540Packages.ProcPIDFile

Manage process id files

pkgs.perl538Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl538Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl538Packages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perl540Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

CVE-2023-31346
6.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Failure to initialize memory in SEV Firmware may allow a …

Failure to initialize memory in SEV Firmware may allow a privileged attacker to access stale data from other guests.

Affected products

PI
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

pkgs.perlPackages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl538Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl540Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perlPackages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perlPackages.PDFAPI2

Create, modify, and examine PDF files

pkgs.haskellPackages.hsPID

PID control loop

pkgs.spirv-llvm-translator

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.perl538Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perl540Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perlPackages.PPIxUtils

Utility functions for PPI

pkgs.perl538Packages.PDFAPI2

Create, modify, and examine PDF files

pkgs.perl540Packages.PDFAPI2

Create, modify, and examine PDF files

pkgs.perlPackages.PPIxRegexp

Parse regular expressions

pkgs.perlPackages.ProcPIDFile

Manage process id files

pkgs.haskellPackages.EdisonAPI

A library of efficient, purely-functional data structures (API)

pkgs.perl538Packages.PPIxUtils

Utility functions for PPI

pkgs.perl540Packages.PPIxUtils

Utility functions for PPI

pkgs.perlPackages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.PPIxRegexp

Parse regular expressions

pkgs.perl540Packages.PPIxRegexp

Parse regular expressions

pkgs.perlPackages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perlPackages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perlPackages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perl538Packages.ProcPIDFile

Manage process id files

pkgs.perl540Packages.ProcPIDFile

Manage process id files

pkgs.perl538Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl538Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl538Packages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perl540Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious