Nixpkgs security tracker
6.9 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): Low (L)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): Low (L)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
19 packages
- azure-cli-extensions.fleet
- python312Packages.tesla-fleet-api
- python313Packages.tesla-fleet-api
- python314Packages.tesla-fleet-api
- haskellPackages.amazonka-iotfleethub
- haskellPackages.amazonka-iotfleetwise
- python312Packages.mypy-boto3-iotfleethub
- python313Packages.mypy-boto3-iotfleethub
- python314Packages.mypy-boto3-iotfleethub
- python312Packages.mypy-boto3-iotfleetwise
- python313Packages.mypy-boto3-iotfleetwise
- python314Packages.mypy-boto3-iotfleetwise
- home-assistant-component-tests.tesla_fleet
- python312Packages.types-aiobotocore-iotfleethub
- python313Packages.types-aiobotocore-iotfleethub
- python312Packages.types-aiobotocore-iotfleetwise
- python313Packages.types-aiobotocore-iotfleetwise
- fleetctl
- fleeting-plugin-aws
-
@LeSuisse
ignored
maintainer.ignore
2 maintainers
- @LeSuisse
- @asauzeau
- @LeSuisse accepted
- @LeSuisse published on GitHub
Fleet has a rate limiting bypass via untrusted client IP headers
Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP address using HTTP headers such as X-Forwarded-For, X-Real-IP, and/or True-Client-IP. These headers were trusted without validation. An attacker could supply arbitrary values in these headers, causing Fleet to treat each request as originating from a different IP address. This could allow an attacker to bypass per-IP rate limits and increase the effectiveness of brute-force or password-spraying attempts against authentication endpoints. This issue does not allow authentication bypass, privilege escalation, data exposure, or remote code execution on its own. Version 4.80.1 contains a patch. As a workaround, run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.
References
-
https://github.com/fleetdm/fleet/security/advisories/GHSA-j8h8-75h3-jg53 x_refsource_CONFIRM
-
https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1 x_refsource_MISC
Affected products
- ==< 4.80.1
Matching in nixpkgs
Ignored packages (19)
pkgs.fleetctl
CLI tool for managing Fleet
pkgs.fleeting-plugin-aws
GitLab fleeting plugin for AWS
pkgs.azure-cli-extensions.fleet
Microsoft Azure Command-Line Tools Fleet Extension
pkgs.python312Packages.tesla-fleet-api
None
pkgs.python313Packages.tesla-fleet-api
Python library for Tesla Fleet API and Teslemetry
pkgs.python314Packages.tesla-fleet-api
Python library for Tesla Fleet API and Teslemetry
pkgs.haskellPackages.amazonka-iotfleethub
Amazon IoT Fleet Hub SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
pkgs.haskellPackages.amazonka-iotfleetwise
Amazon IoT FleetWise SDK
-
nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16
pkgs.python312Packages.mypy-boto3-iotfleethub
None
pkgs.python313Packages.mypy-boto3-iotfleethub
Type annotations for boto3 iotfleethub
-
nixos-unstable boto3-iotfleethub-1.40.17
- nixpkgs-unstable boto3-iotfleethub-1.40.17
- nixos-unstable-small boto3-iotfleethub-1.40.17
pkgs.python314Packages.mypy-boto3-iotfleethub
Type annotations for boto3 iotfleethub
-
nixos-unstable boto3-iotfleethub-1.40.17
- nixpkgs-unstable boto3-iotfleethub-1.40.17
- nixos-unstable-small boto3-iotfleethub-1.40.17
pkgs.python313Packages.mypy-boto3-iotfleetwise
Type annotations for boto3 iotfleetwise
-
nixos-unstable boto3-iotfleetwise-1.43.0
- nixpkgs-unstable boto3-iotfleetwise-1.43.0
- nixos-unstable-small boto3-iotfleetwise-1.43.0
pkgs.python314Packages.mypy-boto3-iotfleetwise
Type annotations for boto3 iotfleetwise
-
nixos-unstable boto3-iotfleetwise-1.43.0
- nixpkgs-unstable boto3-iotfleetwise-1.43.0
- nixos-unstable-small boto3-iotfleetwise-1.43.0
pkgs.python313Packages.types-aiobotocore-iotfleethub
Type annotations for aiobotocore iotfleethub
pkgs.python313Packages.types-aiobotocore-iotfleetwise
Type annotations for aiobotocore iotfleetwise
Package maintainers
-
@bddvlpr Luna Simons <luna@bddvlpr.com>
Ignored maintainers (2)
-
@LeSuisse Thomas Gerbet <thomas@gerbet.me>
-
@asauzeau Antoine Sauzeau <antoine.sauzeau3@gmail.com>