Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2024-7006
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Libtiff: null pointer dereference in tif_dirinfo.c

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

Affected products

libtiff
  • ==4.4.0
  • ==4.0.9
  • *

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

Package maintainers: 7

CVE-2024-43168
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
Unbound: heap-buffer-overflow in unbound

A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could result in a denial of service or unauthorized actions on the system.

Affected products

rhcos
unbound
openstack-unbound-container
designate-operator-container
rhosp-rhel9/openstack-unbound
designate-operator-bundle-container
rhosp-rhel8-tech-preview/openstack-unbound

Matching in nixpkgs

pkgs.unbound

Validating, recursive, and caching DNS resolver

pkgs.unbound-full

Validating, recursive, and caching DNS resolver

pkgs.unbound-with-systemd

Validating, recursive, and caching DNS resolver

pkgs.luaPackages.luaunbound

A binding to libunbound

pkgs.lua51Packages.luaunbound

A binding to libunbound

pkgs.lua52Packages.luaunbound

A binding to libunbound

pkgs.lua53Packages.luaunbound

A binding to libunbound

pkgs.lua54Packages.luaunbound

A binding to libunbound

pkgs.luajitPackages.luaunbound

A binding to libunbound

pkgs.prometheus-unbound-exporter

Prometheus exporter for Unbound DNS resolver

pkgs.python312Packages.pyunbound

Python library for Unbound, the validating, recursive, and caching DNS resolver

pkgs.python313Packages.pyunbound

Python library for Unbound, the validating, recursive, and caching DNS resolver

pkgs.haskellPackages.unbound-generics

Support for programming with names and binders using GHC Generics

pkgs.haskellPackages.unbounded-delays

Unbounded thread delays and timeouts

pkgs.haskellPackages.unbound-kind-generics

Support for programming with names and binders using kind-generics

Package maintainers: 3

CVE-2024-5290
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
An issue was discovered in Ubuntu wpa_supplicant that resulted in …

An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root). Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.

Affected products

wpa
  • <2.1-0ubuntu1.7+esm5
  • <2.4-0ubuntu6.8+esm1
  • <2:2.9-1ubuntu4.4
  • <2:2.10-21ubuntu0.1
  • <2:2.10-6ubuntu2.1
  • <2:2.6-15ubuntu2.8+esm1

Matching in nixpkgs

pkgs.wpaperd

Minimal wallpaper daemon for Wayland

pkgs.cowpatty

Offline dictionary attack against WPA/WPA2 networks

pkgs.vowpal-wabbit

Machine learning system focused on online reinforcement learning

pkgs.wpa_supplicant_gui

Qt-based GUI for wpa_supplicant

pkgs.wpa_supplicant_ro_ssids

Tool for connecting to WPA and WPA2-protected wireless networks

pkgs.python312Packages.vowpalwabbit

Vowpal Wabbit is a fast machine learning library for online learning, and this is the python wrapper for the project

pkgs.python313Packages.vowpalwabbit

Vowpal Wabbit is a fast machine learning library for online learning, and this is the python wrapper for the project

pkgs.python312Packages.mwparserfromhell

MWParserFromHell is a parser for MediaWiki wikicode

pkgs.python313Packages.mwparserfromhell

MWParserFromHell is a parser for MediaWiki wikicode

pkgs.vscode-extensions.twpayne.vscode-testscript

Syntax highlighting support for testscript

Package maintainers: 9

CVE-2024-7383
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Libnbd: nbd server improper certificate validation

A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

Affected products

libnbd
  • <1.20.2
  • <1.18.5
  • *
virt:rhel
  • *
virt:av/libnbd
virt-devel:rhel
  • *
virt:rhel/libnbd

Matching in nixpkgs

pkgs.libnbd

Network Block Device client library in userspace

pkgs.python312Packages.libnbd

Network Block Device client library in userspace

pkgs.python313Packages.libnbd

Network Block Device client library in userspace

Package maintainers: 1

CVE-2021-46758
created 3 months ago
Insufficient validation of SPI flash addresses in the ASP (AMD …

Insufficient validation of SPI flash addresses in the ASP (AMD Secure Processor) bootloader may allow an attacker to read data in memory mapped beyond SPI flash resulting in a potential loss of availability and integrity.

Affected products

PI
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

pkgs.perlPackages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl538Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perl540Packages.PPI

Parse, Analyze and Manipulate Perl (without perl)

pkgs.perlPackages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perlPackages.PDFAPI2

Create, modify, and examine PDF files

pkgs.haskellPackages.hsPID

PID control loop

pkgs.spirv-llvm-translator

Tool and a library for bi-directional translation between SPIR-V and LLVM IR

pkgs.perl538Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perl540Packages.GSSAPI

Perl extension providing access to the GSSAPIv2 library

pkgs.perlPackages.PPIxUtils

Utility functions for PPI

pkgs.perl538Packages.PDFAPI2

Create, modify, and examine PDF files

pkgs.perl540Packages.PDFAPI2

Create, modify, and examine PDF files

pkgs.perlPackages.PPIxRegexp

Parse regular expressions

pkgs.perlPackages.ProcPIDFile

Manage process id files

pkgs.haskellPackages.EdisonAPI

A library of efficient, purely-functional data structures (API)

pkgs.perl538Packages.PPIxUtils

Utility functions for PPI

pkgs.perl540Packages.PPIxUtils

Utility functions for PPI

pkgs.perlPackages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.PPIxRegexp

Parse regular expressions

pkgs.perl540Packages.PPIxRegexp

Parse regular expressions

pkgs.perlPackages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perlPackages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perlPackages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perl538Packages.ProcPIDFile

Manage process id files

pkgs.perl540Packages.ProcPIDFile

Manage process id files

pkgs.perl538Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl540Packages.WWWTwilioAPI

Accessing Twilio's REST API with Perl

pkgs.perl538Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl538Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl538Packages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perl540Packages.OpenAPIClient

Client for talking to an Open API powered server

pkgs.perl540Packages.PPIxQuoteLike

Parse Perl string literals and string-literal-like things

pkgs.perl540Packages.PPIxUtilities

Extensions to PPI|PPI

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

CVE-2022-47161
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Health Check & Troubleshooting Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions.

Affected products

health-check
  • =<1.5.1

Matching in nixpkgs

pkgs.health-check

Process monitoring tool

pkgs.grpc-health-check

Minimal, high performance, memory-friendly, safe implementation of the gRPC health checking protocol

pkgs.python312Packages.django-health-check

Pluggable app that runs a full check on the deployment

pkgs.python313Packages.django-health-check

Pluggable app that runs a full check on the deployment

pkgs.rubyPackages.github-pages-health-check

pkgs.python312Packages.grpcio-health-checking

Standard Health Checking Service for gRPC

pkgs.python313Packages.grpcio-health-checking

Standard Health Checking Service for gRPC

pkgs.rubyPackages_3_1.github-pages-health-check

pkgs.rubyPackages_3_2.github-pages-health-check

pkgs.rubyPackages_3_3.github-pages-health-check

pkgs.rubyPackages_3_4.github-pages-health-check

Package maintainers: 4

CVE-2021-3429
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
sensitive data exposure in cloud-init logs

When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.

Affected products

cloud-init
  • <21.2

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

Package maintainers: 2

CVE-2022-34148
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Backup Guard Plugin <= 1.6.9.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JetBackup JetBackup – WP Backup, Migrate & Restore plugin <= 1.6.9.0 versions.

Affected products

backup
  • =<1.6.9.0

Matching in nixpkgs

pkgs.ghbackup

Backup your GitHub repositories with a simple command-line application written in Go

pkgs.dvdbackup

Tool to rip video DVDs from the command line

pkgs.gb-backup

Gamer Backup, a super opinionated cloud backup system

pkgs.qr-backup

Utility to generate paper backup of files using QR codes

pkgs.zfsbackup

Backup ZFS snapshots to cloud storage such as Google, Amazon, Azure, etc

pkgs.borgbackup

Deduplicating archiver with compression and encryption

pkgs.luckybackup

Powerful, fast and reliable backup & sync tool

pkgs.mylvmbackup

Tool for quickly creating full physical backups of a MySQL server's data files

pkgs.pika-backup

Simple backups based on borg

pkgs.storeBackup

Backup suite that stores files on other disks

pkgs.rdiff-backup

Backup system trying to combine best a mirror and an incremental backup system

pkgs.git-backup-go

Backup all your GitHub & GitLab repositories

pkgs.github-backup

Backup a github user or organization

pkgs.virtnbdbackup

Backup utility for Libvirt/qemu/kvm

pkgs.zfs-autobackup

ZFS backup, replicationand snapshot tool

pkgs.automysqlbackup

Script to run daily, weekly and monthly backups for your MySQL database

pkgs.urbackup-client

Easy to setup Open Source client/server backup system

pkgs.one-click-backup

Simple Program to backup folders to an external location by copying them

pkgs.clickhouse-backup

Tool for easy ClickHouse backup and restore using object storage for backup files

pkgs.signalbackup-tools

Tool to work with Signal Backup files

pkgs.kdePackages.kbackup

Backup program with an easy-to-use interface

pkgs.unifi-protect-backup

Python tool to backup unifi event clips in realtime

pkgs.pinboard-notes-backup

Back up the notes you've saved to Pinboard

pkgs.proxmox-backup-client

Command line client for Proxmox Backup Server

pkgs.percona-xtrabackup_8_0

Non-blocking backup tool for MySQL

pkgs.percona-xtrabackup_lts

Non-blocking backup tool for MySQL

pkgs.android-backup-extractor

Utility to extract and repack Android backups created with adb backup

pkgs.python312Packages.iosbackup

Reads and extracts files from password-encrypted iOS backups

pkgs.python313Packages.iosbackup

Reads and extracts files from password-encrypted iOS backups

pkgs.haskellPackages.amazonka-backup

Amazon Backup SDK

pkgs.python312Packages.android-backup

Unpack and repack android backups

pkgs.python313Packages.android-backup

Unpack and repack android backups

pkgs.python312Packages.mypy-boto3-backup

Type annotations for boto3 backup

pkgs.python313Packages.mypy-boto3-backup

Type annotations for boto3 backup

pkgs.haskellPackages.pinboard-notes-backup

Back up the notes you've saved to Pinboard

pkgs.home-assistant-component-tests.backup

Open source home automation that puts local control and privacy first

pkgs.haskellPackages.amazonka-backupstorage

Amazon Backup Storage SDK

pkgs.haskellPackages.amazonka-backup-gateway

Amazon Backup Gateway SDK

pkgs.python312Packages.types-aiobotocore-backup

Type annotations for aiobotocore backup

pkgs.python313Packages.types-aiobotocore-backup

Type annotations for aiobotocore backup

pkgs.python312Packages.types-aiobotocore-backupstorage

Type annotations for aiobotocore backupstorage

pkgs.python313Packages.types-aiobotocore-backupstorage

Type annotations for aiobotocore backupstorage

pkgs.python312Packages.types-aiobotocore-backup-gateway

Type annotations for aiobotocore backup-gateway

pkgs.python313Packages.types-aiobotocore-backup-gateway

Type annotations for aiobotocore backup-gateway

pkgs.python312Packages.azure-mgmt-recoveryservicesbackup

This is the Microsoft Azure Recovery Services Backup Management Client Library

pkgs.python313Packages.azure-mgmt-recoveryservicesbackup

This is the Microsoft Azure Recovery Services Backup Management Client Library

Package maintainers: 44

CVE-2022-4145
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Content spoofing

A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.

Affected products

openshift

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

pkgs.python312Packages.openshift

Python client for the OpenShift API

pkgs.python313Packages.openshift

Python client for the OpenShift API

pkgs.python312Packages.azure-mgmt-redhatopenshift

Microsoft Azure Red Hat Openshift Management Client Library for Python

pkgs.python313Packages.azure-mgmt-redhatopenshift

Microsoft Azure Red Hat Openshift Management Client Library for Python

Package maintainers: 4

CVE-2022-47183
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Extra Block Design, Style, CSS for ANY Gutenberg Blocks Plugin <= 0.2.6 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in StylistWP Extra Block Design, Style, CSS for ANY Gutenberg Blocks plugin <= 0.2.6 versions.

Affected products

stylist
  • =<0.2.6

Matching in nixpkgs

pkgs.haskellPackages.stylist-traits

Traits, datatypes, & parsers for Haskell Stylist