Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2024-7143
created 3 months ago
Pulpcore: rbac permissions incorrectly assigned in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

Affected products

pulp
  • =<3.56.0
receptor
python-django
python-urllib3
python-pulpcore
python3x-django
python3x-urllib3
python3x-pulpcore
automation-controller
python-pulpcore-client
rubygem-pulpcore_client

Matching in nixpkgs

pkgs.pulp

A build system for PureScript projects

pkgs.nodePackages.pulp

A build system for PureScript projects

pkgs.python312Packages.pulp

Module to generate MPS or LP files

pkgs.python313Packages.pulp

Module to generate MPS or LP files

pkgs.nodePackages_latest.pulp

A build system for PureScript projects

Package maintainers: 1

CVE-2024-9774
created 3 months ago
Python-sql: python-sql unary operators does not escape non-expression

A vulnerability was found in python-sql where unary operators do not escape non-Expression.

Affected products

python-sql
  • <1.5.2

Matching in nixpkgs

pkgs.python312Packages.python-sql

Library to write SQL queries in a pythonic way

pkgs.python313Packages.python-sql

Library to write SQL queries in a pythonic way

pkgs.python312Packages.ipython-sql

Introduces a %sql (or %%sql) magic

pkgs.python313Packages.ipython-sql

Introduces a %sql (or %%sql) magic

Package maintainers: 2

CVE-2024-9666
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

Affected products

keycloak
  • <26.0.6
  • <24.0.9
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2024-9427
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Koji: escape html tag characters in the query string

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code

Affected products

koji
  • <1.35.1

Matching in nixpkgs

pkgs.koji

Interactive CLI for creating conventional commits

pkgs.haskellPackages.koji

Koji buildsystem XML-RPC API bindings

Package maintainers: 2

CVE-2024-4629
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Keycloak: potential bypass of brute force protection

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Affected products

keycloak
  • ==24.0.3
rh-sso7-keycloak
  • *
rhbk/keycloak-rhel9
  • *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2024-47515
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 months ago
Pagure: generate_archive() follows symbolic links in temporary clones

A vulnerability was found in Pagure. Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This flaw allows a malicious user to take advantage of the Pagure instance.

Affected products

pagure
  • ==5.14.1

Matching in nixpkgs

pkgs.haskellPackages.pagure

Pagure REST client library

pkgs.haskellPackages.pagure-cli

A Pagure gitforge query tool

CVE-2024-8768
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Vllm: a completions api request with an empty prompt will crash the vllm api server.

A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.

Affected products

vllm
  • <0.5.5
rhelai1/bootc-nvidia-rhel9
rhelai1/instructlab-nvidia-rhel9

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

pkgs.python312Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

Package maintainers: 2

CVE-2024-8939
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Vllm: denials of service in vllm json web api

A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.

Affected products

vllm
  • <0.5.0.post1
rhelai1/bootc-nvidia-rhel9
rhelai1/instructlab-nvidia-rhel9

Matching in nixpkgs

pkgs.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

pkgs.python312Packages.vllm

High-throughput and memory-efficient inference and serving engine for LLMs

Package maintainers: 2

CVE-2024-12840
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Http proxies: satellite: service side request forgery in http proxies

A server-side request forgery exists in Satellite. When a PUT HTTP request is made to /http_proxies/test_connection, when supplied with the http_proxies variable set to localhost, the attacker can fetch the localhost banner.

Affected products

security

Matching in nixpkgs

pkgs.libmodsecurity

ModSecurity v3 library component.

pkgs.paretosecurity

Agent that makes sure your laptop is correctly configured for security

pkgs.xml-security-c

C++ Implementation of W3C security standards for XML

pkgs.modsecurity-crs

The OWASP ModSecurity Core Rule Set is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.

pkgs.modsecurity_standalone

Open source, cross-platform web application firewall (WAF)

pkgs.converged-security-suite

Converged Security Suite for Intel & AMD platform security features

pkgs.python312Packages.zope-security

Zope Security Framework

pkgs.python313Packages.zope-security

Zope Security Framework

pkgs.haskellPackages.hackage-security

Hackage security library

pkgs.python312Packages.flask-security

Quickly add security features to your Flask application

pkgs.python313Packages.flask-security

Quickly add security features to your Flask application

pkgs.python312Packages.securityreporter

Python wrapper for the Reporter API

pkgs.python313Packages.securityreporter

Python wrapper for the Reporter API

pkgs.haskellPackages.amazonka-securityhub

Amazon SecurityHub SDK

pkgs.haskellPackages.gogol-securitycenter

Google Security Command Center SDK

pkgs.haskellPackages.amazonka-securitylake

Amazon Security Lake SDK

pkgs.haskellPackages.hackage-security-HTTP

Hackage security bindings against the HTTP library

pkgs.haskellPackages.unicode-data-security

Unicode security mechanisms database

pkgs.python312Packages.azure-mgmt-security

Microsoft Azure Security Center Management Client Library for Python

pkgs.python313Packages.azure-mgmt-security

Microsoft Azure Security Center Management Client Library for Python

pkgs.haskellPackages.gogol-websecurityscanner

Google Web Security Scanner SDK

pkgs.pantheon.switchboard-plug-security-privacy

Switchboard Security & Privacy Plug

pkgs.python312Packages.google-cloud-securitycenter

Cloud Security Command Center API API client library

pkgs.python313Packages.google-cloud-securitycenter

Cloud Security Command Center API API client library

pkgs.azure-cli-extensions.hardware-security-modules

Microsoft Azure Command-Line Tools AzureDedicatedHSMResourceProvider Extension

pkgs.python312Packages.azure-keyvault-securitydomain

Microsoft Corporation Azure Keyvault Securitydomain Client Library for Python

pkgs.python312Packages.types-aiobotocore-securityhub

Type annotations for aiobotocore securityhub

pkgs.python313Packages.azure-keyvault-securitydomain

Microsoft Corporation Azure Keyvault Securitydomain Client Library for Python

pkgs.python313Packages.types-aiobotocore-securityhub

Type annotations for aiobotocore securityhub

pkgs.python312Packages.types-aiobotocore-securitylake

Type annotations for aiobotocore securitylake

pkgs.python313Packages.types-aiobotocore-securitylake

Type annotations for aiobotocore securitylake

pkgs.python312Packages.google-cloud-websecurityscanner

Google Cloud Web Security Scanner API client library

pkgs.python313Packages.google-cloud-websecurityscanner

Google Cloud Web Security Scanner API client library

pkgs.python312Packages.types-aiobotocore-codeguru-security

Type annotations for aiobotocore codeguru-security

pkgs.python313Packages.types-aiobotocore-codeguru-security

Type annotations for aiobotocore codeguru-security

pkgs.gnomeExtensions.arch-linux-updates-and-security-indicator

Update indicator for Arch Linux and GNOME Shell.

pkgs.python312Packages.microsoft-security-utilities-secret-masker

Tool for detecting and masking secrets

pkgs.python313Packages.microsoft-security-utilities-secret-masker

Tool for detecting and masking secrets

Package maintainers: 14

CVE-2024-37962
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Fusion Page Builder plugin <= 1.6.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Fusion allows Stored XSS.This issue affects Fusion: from n/a through 1.6.1.

Affected products

fusion
  • =<1.6.1

Matching in nixpkgs

pkgs.datafusion-cli

CLI for Apache Arrow DataFusion

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

pkgs.finalfusion-utils

Utility for converting, quantizing, and querying word embeddings

pkgs.python312Packages.datafusion

Extensible query execution framework

pkgs.python313Packages.datafusion

Extensible query execution framework

pkgs.haskellPackages.fusion-plugin

GHC plugin to make stream fusion more predictable

pkgs.python312Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python312Packages.k-diffusion

Karras et al. (2022) diffusion models for PyTorch

pkgs.python313Packages.finalfusion

Python module for using finalfusion, word2vec, and fastText word embeddings

pkgs.python313Packages.k-diffusion

Karras et al. (2022) diffusion models for PyTorch

pkgs.haskellPackages.gogol-datafusion

Google Cloud Data Fusion SDK

pkgs.haskellPackages.list-fusion-probe

testing list fusion for success

pkgs.haskellPackages.gogol-fusiontables

Google Fusion Tables SDK

pkgs.haskellPackages.fusion-plugin-types

Types for the fusion-plugin package

pkgs.vimPlugins.nvim-treesitter-parsers.fusion

  • nixos-unstable ???
    • nixpkgs-unstable

Package maintainers: 4