Nixpkgs security tracker

Dismissed

Permalink CVE-2025-10284

9.6 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 6 months ago
@LeSuisse ignored package hebbot 4 months, 1 week ago
@LeSuisse dismissed 4 months, 1 week ago

Improper Archive Extraction in unarchive Enables RCE

BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution.

References

https://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper

Affected products

bbot

=<2.6.1

Ignored packages (1)

pkgs.hebbot

Matrix bot which can generate "This Week in X" like blog posts

nixos-unstable 2.1-unstable-2024-09-20
- nixpkgs-unstable 2.1-unstable-2024-09-20
- nixos-unstable-small 2.1-unstable-2024-09-20

Software not present in nixpkgs

Suggestion detail

References

Affected products

pkgs.hebbot