Nixpkgs security tracker
8.8 HIGH
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): High (H)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): High (H)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
- @LeSuisse accepted
- @LeSuisse published on GitHub
Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
References
Affected products
- ==< 2.0.0-beta.2
Matching in nixpkgs
Ignored packages (20)
pkgs.gravit
Beautiful OpenGL-based gravity simulator
pkgs.antigravity
Agentic development platform, evolving the IDE into the agent-first era
pkgs.antigravity-fhs
Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications
pkgs.stardust-xr-gravity
Utility to launch apps and stardust clients at an offet
-
nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
-
nixos-25.11 0-unstable-2024-12-29
- nixos-25.11-small 0-unstable-2024-12-29
- nixpkgs-25.11-darwin 0-unstable-2024-12-29
pkgs.kdePackages.libgravatar
Library that provides Gravatar support
pkgs.gnomeExtensions.gravatar
Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.
pkgs.haskellPackages.gravatar
Generate Gravatar image URLs
pkgs.python312Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python313Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python314Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python312Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python313Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python314Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python312Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-25.11 gravatar2-1.4.5
- nixos-25.11-small gravatar2-1.4.5
- nixpkgs-25.11-darwin gravatar2-1.4.5
pkgs.python313Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-unstable gravatar2-1.4.5
- nixpkgs-unstable gravatar2-1.4.5
- nixos-unstable-small gravatar2-1.4.5
-
nixos-25.11 gravatar2-1.4.5
- nixos-25.11-small gravatar2-1.4.5
- nixpkgs-25.11-darwin gravatar2-1.4.5
pkgs.python314Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-unstable gravatar2-1.4.5
- nixpkgs-unstable gravatar2-1.4.5
- nixos-unstable-small gravatar2-1.4.5
pkgs.perlPackages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl5Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl538Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl540Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
Package maintainers
-
@rycee Robert Helgesson <robert@rycee.net>