Nixpkgs security tracker
4.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Exploit Code Maturity (E): Proof-of-Concept (P)
- Remediation Level (RL): Not Defined (X)
- Report Confidence (RC): Reasonable (R)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
NASA cFS Pickle pickle.load deserialization
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
References
-
-
-
Submit #781949 | NASA cFS 7.0.0 Code Execution third-party-advisory
-
https://github.com/nasa/cFS/issues/951 issue-tracking
-
https://github.com/nasa/cFS/ product
Affected products
- ==7.0
Matching in nixpkgs
pkgs.cfssl
Cloudflare's PKI and TLS toolkit
pkgs.cpcfs
Manipulating CPC dsk images and files
pkgs.encfs
Encrypted filesystem in user-space via FUSE
pkgs.lxcfs
FUSE filesystem for LXC
pkgs.gencfsm
EncFS manager and mounter with GNOME3 integration
pkgs.cfspeedtest
Unofficial CLI for speed.cloudflare.com
pkgs.cfs-zen-tweaks
Tweak Linux CPU scheduler for desktop responsiveness
pkgs.ocamlPackages.cfstream
Simple Core-inspired wrapper for standard library Stream module
pkgs.python312Packages.cfscrape
None
pkgs.python313Packages.cfscrape
Python module to bypass Cloudflare's anti-bot page
pkgs.python314Packages.cfscrape
Python module to bypass Cloudflare's anti-bot page
pkgs.ocamlPackages_latest.cfstream
Simple Core-inspired wrapper for standard library Stream module
pkgs.python312Packages.macfsevents
None
pkgs.python313Packages.macfsevents
Thread-based interface to file system observation primitives
pkgs.python314Packages.macfsevents
Thread-based interface to file system observation primitives
pkgs.azure-cli-extensions.managedccfs
Microsoft Azure Command-Line Tools Managedccfs Extension
pkgs.python312Packages.python-linux-procfs
None
pkgs.python313Packages.python-linux-procfs
Python classes to extract information from the Linux kernel /proc files
pkgs.python314Packages.python-linux-procfs
Python classes to extract information from the Linux kernel /proc files
pkgs.tests.testers.runCommand.nonDefault-hash
None
Package maintainers
-
@katexochen Paul Meyer <katexochen0@gmail.com>
-
@mkg20001 Maciej Krüger <mkg20001+nix@gmail.com>
-
@colemickens Cole Mickens <cole.mickens@gmail.com>
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@mbrgm Marius Bergmann <marius@yeai.de>
-
@spacefrogg Michael Raitza <spacefrogg-nixos@meterriblecrew.net>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@megheaiulian Meghea Iulian <iulian.meghea@gmail.com>
-
@herbetom Tom Herbers <nixos@tomherbers.de>
-
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
-
@bcdarwin Ben Darwin <bcdarwin@gmail.com>