Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2024-9774 created 1 month, 2 weeks ago
Python-sql: python-sql unary operators does not escape non-expression

A vulnerability was found in python-sql where unary operators do not escape non-Expression.

python-sql
<1.5.2

pkgs.python312Packages.python-sql

Library to write SQL queries in a pythonic way

pkgs.python313Packages.python-sql

Library to write SQL queries in a pythonic way

pkgs.python312Packages.ipython-sql

Introduces a %sql (or %%sql) magic

pkgs.python313Packages.ipython-sql

Introduces a %sql (or %%sql) magic
Package maintainers: 2
CVE-2024-9666
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

keycloak
<26.0.6
<24.0.9
rhbk/keycloak-rhel9
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
org.keycloak/keycloak-quarkus-server

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API
Package maintainers: 4
CVE-2024-9427
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 2 weeks ago
Koji: escape html tag characters in the query string

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code

koji
<1.35.1

pkgs.koji

Interactive CLI for creating conventional commits

pkgs.haskellPackages.koji

Koji buildsystem XML-RPC API bindings
Package maintainers: 2
CVE-2024-4629
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 2 weeks ago
Keycloak: potential bypass of brute force protection

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

keycloak
==24.0.3
rh-sso7-keycloak
*
rhbk/keycloak-rhel9
*
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*
rh-sso-7/sso76-openshift-rhel8
*

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API
Package maintainers: 4
CVE-2024-47515
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 2 weeks ago
Pagure: generate_archive() follows symbolic links in temporary clones

A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.

pagure
==5.14.1

pkgs.haskellPackages.pagure

Pagure REST client library

pkgs.haskellPackages.pagure-cli

A Pagure gitforge query tool
CVE-2024-8768
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
Vllm: a completions api request with an empty prompt will crash the vllm api server.

A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.

vllm
<0.5.5
rhelai1/bootc-nvidia-rhel9
rhelai1/instructlab-nvidia-rhel9

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

pkgs.python312Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs
Package maintainers: 2
CVE-2024-8939
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 1 month, 2 weeks ago
Vllm: denials of service in vllm json web api

A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.

vllm
<0.5.0.post1
rhelai1/bootc-nvidia-rhel9
rhelai1/instructlab-nvidia-rhel9

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

pkgs.python312Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs
Package maintainers: 2
CVE-2024-12840
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 1 month, 2 weeks ago
Http proxies: satellite: service side request forgery in http proxies

A server-side request forgery exists in Satellite. When a PUT HTTP request is made to /http_proxies/test_connection, when supplied with the http_proxies variable set to localhost, the attacker can fetch the localhost banner.

security

pkgs.libmodsecurity

ModSecurity v3 library component.

pkgs.paretosecurity

Agent that makes sure your laptop is correctly configured for security

pkgs.xml-security-c

C++ Implementation of W3C security standards for XML

pkgs.modsecurity-crs

The OWASP ModSecurity Core Rule Set is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.

pkgs.modsecurity_standalone

Open source, cross-platform web application firewall (WAF)

pkgs.converged-security-suite

Converged Security Suite for Intel & AMD platform security features

pkgs.python312Packages.zope-security

Zope Security Framework

pkgs.python313Packages.zope-security

Zope Security Framework

pkgs.haskellPackages.hackage-security

Hackage security library

pkgs.python312Packages.flask-security

Quickly add security features to your Flask application

pkgs.python313Packages.flask-security

Quickly add security features to your Flask application

pkgs.python312Packages.securityreporter

Python wrapper for the Reporter API

pkgs.python313Packages.securityreporter

Python wrapper for the Reporter API

pkgs.haskellPackages.amazonka-securityhub

Amazon SecurityHub SDK

pkgs.haskellPackages.gogol-securitycenter

Google Security Command Center SDK

pkgs.haskellPackages.amazonka-securitylake

Amazon Security Lake SDK

pkgs.haskellPackages.hackage-security-HTTP

Hackage security bindings against the HTTP library

pkgs.haskellPackages.unicode-data-security

Unicode security mechanisms database

pkgs.python312Packages.azure-mgmt-security

Microsoft Azure Security Center Management Client Library for Python

pkgs.python313Packages.azure-mgmt-security

Microsoft Azure Security Center Management Client Library for Python

pkgs.haskellPackages.gogol-websecurityscanner

Google Web Security Scanner SDK

pkgs.pantheon.switchboard-plug-security-privacy

Switchboard Security & Privacy Plug

pkgs.python312Packages.google-cloud-securitycenter

Cloud Security Command Center API API client library

pkgs.python313Packages.google-cloud-securitycenter

Cloud Security Command Center API API client library

pkgs.azure-cli-extensions.hardware-security-modules

Microsoft Azure Command-Line Tools AzureDedicatedHSMResourceProvider Extension

pkgs.python312Packages.azure-keyvault-securitydomain

Microsoft Corporation Azure Keyvault Securitydomain Client Library for Python

pkgs.python312Packages.types-aiobotocore-securityhub

Type annotations for aiobotocore securityhub

pkgs.python313Packages.azure-keyvault-securitydomain

Microsoft Corporation Azure Keyvault Securitydomain Client Library for Python

pkgs.python313Packages.types-aiobotocore-securityhub

Type annotations for aiobotocore securityhub

pkgs.python312Packages.types-aiobotocore-securitylake

Type annotations for aiobotocore securitylake

pkgs.python313Packages.types-aiobotocore-securitylake

Type annotations for aiobotocore securitylake

pkgs.python312Packages.google-cloud-websecurityscanner

Google Cloud Web Security Scanner API client library

pkgs.python313Packages.google-cloud-websecurityscanner

Google Cloud Web Security Scanner API client library

pkgs.python312Packages.types-aiobotocore-codeguru-security

Type annotations for aiobotocore codeguru-security

pkgs.python313Packages.types-aiobotocore-codeguru-security

Type annotations for aiobotocore codeguru-security

pkgs.gnomeExtensions.arch-linux-updates-and-security-indicator

Update indicator for Arch Linux and GNOME Shell.

pkgs.python312Packages.microsoft-security-utilities-secret-masker

Tool for detecting and masking secrets

pkgs.python313Packages.microsoft-security-utilities-secret-masker

Tool for detecting and masking secrets
Package maintainers: 14
CVE-2024-37962
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress Fusion Page Builder plugin <= 1.6.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Fusion allows Stored XSS.This issue affects Fusion: from n/a through 1.6.1.

fusion
=<1.6.1

pkgs.datafusion-cli

CLI for Apache Arrow DataFusion

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.finalfusion-utils

Utility for converting, quantizing, and querying word embeddings

pkgs.python312Packages.datafusion

Extensible query execution framework

pkgs.python313Packages.datafusion

Extensible query execution framework

pkgs.haskellPackages.fusion-plugin

GHC plugin to make stream fusion more predictable

pkgs.python312Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.k-diffusion

Karras et al. (2022) diffusion models for PyTorch

pkgs.python313Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python313Packages.k-diffusion

Karras et al. (2022) diffusion models for PyTorch

pkgs.haskellPackages.gogol-datafusion

Google Cloud Data Fusion SDK

pkgs.haskellPackages.list-fusion-probe

testing list fusion for success

pkgs.haskellPackages.gogol-fusiontables

Google Fusion Tables SDK

pkgs.haskellPackages.fusion-plugin-types

Types for the fusion-plugin package

pkgs.vimPlugins.nvim-treesitter-parsers.fusion

  • nixos-unstable ???
    • nixpkgs-unstable
Package maintainers: 4
CVE-2024-54350
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 1 month, 2 weeks ago
WordPress hmd theme <= 2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HJYL hmd allows Stored XSS.This issue affects hmd: from n/a through 2.0.

hmd
=<2.0

pkgs.openhmd

Library API and drivers immersive technology
Package maintainers: 1