Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2023-25800
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
WordPress Tutor LMS Plugin <= 2.2.0 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.2.0.

Affected products

tutor
  • =<2.2.0

Matching in nixpkgs

pkgs.typstPackages.tutor_0_3_0

Utilities to create exams

pkgs.typstPackages.tutor_0_4_0

Utilities to create exams

pkgs.typstPackages.tutor_0_6_1

Utilities to create exams

pkgs.typstPackages.tutor_0_7_0

Utilities to create exams

pkgs.typstPackages.tutor_0_8_0

Utilities to create exams

pkgs.haskellPackages.timeless-tutorials

Initial project template from stack

Package maintainers: 1

CVE-2023-0462
8.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Arbitrary code execution through yaml global parameters

An arbitrary code execution flaw was found in Foreman. This issue may allow an admin user to execute arbitrary code on the underlying operating system by setting global parameters with a YAML payload.

Affected products

foreman

Matching in nixpkgs

pkgs.foreman

Process manager for applications with multiple components

Package maintainers: 1

CVE-2023-38473
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Reachable assertion in avahi_alternative_host_name

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

Affected products

avahi

Matching in nixpkgs

pkgs.avahi

mDNS/DNS-SD implementation

pkgs.guile-avahi

Bindings to Avahi for GNU Guile

pkgs.avahi-compat

mDNS/DNS-SD implementation

pkgs.haskellPackages.avahi

Minimal DBus bindings for Avahi daemon (http://avahi.org)

pkgs.python312Packages.avahi

mDNS/DNS-SD implementation

pkgs.python313Packages.avahi

mDNS/DNS-SD implementation

Package maintainers: 3

CVE-2023-32513
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
WordPress GiveWP Plugin <= 2.25.3 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.3.

Affected products

give
  • =<2.25.3

Matching in nixpkgs

pkgs.filegive

Easy p2p file sending program

CVE-2023-30797
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Insecure Random Generation in Netflix Lemur

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

Affected products

lemur
  • <<1.3.2

Matching in nixpkgs

pkgs.lemurs

Customizable TUI display/login manager written in Rust

Package maintainers: 2

CVE-2023-0341
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Stack Buffer Overflow in editorconfig-core-c

A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.

Affected products

editorconfig-core-c
  • <v0.12.6

Matching in nixpkgs

pkgs.editorconfig-core-c

EditorConfig core library written in C

Package maintainers: 1

CVE-2023-29403
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Unsafe behavior in setuid/setgid binaries in runtime

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Affected products

runtime
  • <1.19.10
  • <1.20.5

Matching in nixpkgs

pkgs.onnxruntime

Cross-platform, high performance scoring engine for ML models

pkgs.kata-runtime

Lightweight Virtual Machines like containers that provide the workload isolation and security of VMs

pkgs.aws-lambda-rie

Locally test Lambda functions packaged as container images

pkgs.nodepy-runtime

Runtime for Python inspired by Node.JS

pkgs.rocmPackages.hsakmt

Platform runtime for ROCm

pkgs.intel-compute-runtime

Intel Graphics Compute Runtime oneAPI Level Zero and OpenCL, supporting 12th Gen and newer

pkgs.rocmPackages_6.hsakmt

Platform runtime for ROCm

pkgs.kdePackages.kdepim-runtime

Akonadi agents and resources

pkgs.rocmPackages_6.rocm-runtime

Platform runtime for ROCm

pkgs.intel-compute-runtime-legacy1

Intel Graphics Compute Runtime oneAPI Level Zero and OpenCL with support for Gen8, Gen9 and Gen11 GPUs

pkgs.python312Packages.onnxruntime

Cross-platform, high performance scoring engine for ML models

pkgs.python313Packages.onnxruntime

Cross-platform, high performance scoring engine for ML models

pkgs.dotnetCorePackages.runtime_8_0

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI (wrapper)

pkgs.dotnetCorePackages.runtime_9_0

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI (wrapper)

pkgs.haskellPackages.fficxx-runtime

Runtime for fficxx-generated library

pkgs.linuxPackages.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.dotnetCorePackages.runtime_10_0

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI (wrapper)

pkgs.azure-cli-extensions.k8s-runtime

Microsoft Azure Command-Line Tools K8sRuntime Extension

pkgs.python312Packages.fluent-runtime

Localization library for expressive translations

pkgs.python312Packages.nodepy-runtime

Runtime for Python inspired by Node.JS

pkgs.python313Packages.fluent-runtime

Localization library for expressive translations

pkgs.python313Packages.nodepy-runtime

Runtime for Python inspired by Node.JS

pkgs.dotnetCorePackages.runtime_6_0-bin

.NET Runtime 6.0.36 (wrapper)

pkgs.dotnetCorePackages.runtime_7_0-bin

.NET Runtime 7.0.20 (wrapper)

pkgs.dotnetCorePackages.runtime_8_0-bin

.NET Runtime 8.0.20 (wrapper)

pkgs.dotnetCorePackages.runtime_9_0-bin

.NET Runtime 9.0.9 (wrapper)

pkgs.haskellPackages.proto-lens-runtime

pkgs.linuxPackages_lqx.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxPackages_zen.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.dotnetCorePackages.runtime_10_0-bin

.NET Runtime 10.0.0-rc.1.25451.107 (wrapper)

pkgs.haskellPackages.gogol-runtimeconfig

Google Cloud Runtime Configuration SDK

pkgs.python312Packages.onnxruntime-tools

Transformers Model Optimization Tool of ONNXRuntime

pkgs.python313Packages.onnxruntime-tools

Transformers Model Optimization Tool of ONNXRuntime

pkgs.haskellPackages.amazonka-lex-runtime

Amazon Lex Runtime Service SDK

pkgs.linuxPackages-libre.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.dotnetCorePackages.aspnetcore_6_0-bin

ASP.NET Core Runtime 6.0.36 (wrapper)

pkgs.dotnetCorePackages.aspnetcore_7_0-bin

ASP.NET Core Runtime 7.0.20 (wrapper)

pkgs.dotnetCorePackages.aspnetcore_8_0-bin

ASP.NET Core Runtime 8.0.20 (wrapper)

pkgs.dotnetCorePackages.aspnetcore_9_0-bin

ASP.NET Core Runtime 9.0.9 (wrapper)

pkgs.linuxPackages_latest.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxPackages_xanmod.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.dotnetCorePackages.aspnetcore_10_0-bin

ASP.NET Core Runtime 10.0.0-rc.1.25451.107 (wrapper)

pkgs.dotnetCorePackages.dotnet_8.aspnetcore

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI (wrapper)

pkgs.dotnetCorePackages.dotnet_9.aspnetcore

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI (wrapper)

pkgs.python312Packages.rapidocr-onnxruntime

Cross platform OCR Library based on OnnxRuntime

pkgs.python313Packages.rapidocr-onnxruntime

Cross platform OCR Library based on OnnxRuntime

pkgs.dotnetCorePackages.dotnet_10.aspnetcore

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI (wrapper)

pkgs.python312Packages.langgraph-runtime-inmem

Inmem implementation for the LangGraph API server

pkgs.python313Packages.langgraph-runtime-inmem

Inmem implementation for the LangGraph API server

pkgs.haskellPackages.amazonka-sagemaker-runtime

Amazon SageMaker Runtime SDK

pkgs.haskellPackages.aws-lambda-haskell-runtime

Haskell runtime for AWS Lambda

pkgs.linuxPackages_latest-libre.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.haskellPackages.amazonka-personalize-runtime

Amazon Personalize Runtime SDK

pkgs.linuxPackages_xanmod_stable.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.python312Packages.google-cloud-runtimeconfig

Google Cloud RuntimeConfig API client library

pkgs.python312Packages.pythonRuntimeDepsCheckHook

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.python313Packages.google-cloud-runtimeconfig

Google Cloud RuntimeConfig API client library

pkgs.python313Packages.pythonRuntimeDepsCheckHook

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.haskellPackages.amazonka-sagemaker-a2i-runtime

Amazon Augmented AI Runtime SDK

pkgs.haskellPackages.aws-lambda-haskell-runtime-wai

Run wai applications on AWS Lambda

pkgs.linuxKernel.packages.linux_5_4.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_6_1.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_6_6.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_lqx.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_zen.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.python312Packages.types-aiobotocore-lex-runtime

Type annotations for aiobotocore lex-runtime

pkgs.python313Packages.types-aiobotocore-lex-runtime

Type annotations for aiobotocore lex-runtime

pkgs.linuxKernel.packages.linux_5_10.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_5_15.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_6_12.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_6_16.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_libre.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.python312Packages.types-aiobotocore-lexv2-runtime

Type annotations for aiobotocore lexv2-runtime

pkgs.python313Packages.types-aiobotocore-lexv2-runtime

Type annotations for aiobotocore lexv2-runtime

pkgs.linuxKernel.packages.linux_xanmod.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_hardened.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.python312Packages.types-aiobotocore-sagemaker-runtime

Type annotations for aiobotocore sagemaker-runtime

pkgs.python313Packages.types-aiobotocore-sagemaker-runtime

Type annotations for aiobotocore sagemaker-runtime

pkgs.vscode-extensions.ms-dotnettools.vscode-dotnet-runtime

Provides a way for other Visual Studio Code extensions to install local versions of .NET SDK/Runtime

pkgs.haskellPackages.amazonka-sagemaker-featurestore-runtime

Amazon SageMaker Feature Store Runtime SDK

pkgs.python312Packages.types-aiobotocore-personalize-runtime

Type annotations for aiobotocore personalize-runtime

pkgs.python313Packages.types-aiobotocore-personalize-runtime

Type annotations for aiobotocore personalize-runtime

pkgs.linuxKernel.packages.linux_latest_libre.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_6_12_hardened.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.linuxKernel.packages.linux_xanmod_stable.fwts-efi-runtime

Firmware Test Suite(efi-runtime kernel module)

pkgs.python312Packages.types-aiobotocore-sagemaker-a2i-runtime

Type annotations for aiobotocore sagemaker-a2i-runtime

pkgs.python313Packages.types-aiobotocore-sagemaker-a2i-runtime

Type annotations for aiobotocore sagemaker-a2i-runtime

pkgs.python312Packages.types-aiobotocore-sagemaker-featurestore-runtime

Type annotations for aiobotocore sagemaker-featurestore-runtime

pkgs.python313Packages.types-aiobotocore-sagemaker-featurestore-runtime

Type annotations for aiobotocore sagemaker-featurestore-runtime

Package maintainers: 28

CVE-2023-23820
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress ProfilePress Plugin <= 4.5.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.

Affected products

wp-user-avatar
  • =<4.5.4

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wp-user-avatars

CVE-2023-38470
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Reachable assertion in avahi_escape_label

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

Affected products

avahi

Matching in nixpkgs

pkgs.avahi

mDNS/DNS-SD implementation

pkgs.guile-avahi

Bindings to Avahi for GNU Guile

pkgs.avahi-compat

mDNS/DNS-SD implementation

pkgs.haskellPackages.avahi

Minimal DBus bindings for Avahi daemon (http://avahi.org)

pkgs.python312Packages.avahi

mDNS/DNS-SD implementation

pkgs.python313Packages.avahi

mDNS/DNS-SD implementation

Package maintainers: 3

CVE-2023-47265
created 3 months ago
Apache Airflow: DAG Params alllow to embed unchecked Javascript

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users. Users of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability

Affected products

apache-airflow
  • <2.8.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

Package maintainers: 3