Nixpkgs security tracker
8.7 HIGH
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): High (H)
- Vulnerable System Impact Availability (VA): High (H)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): High (H)
- Modified Vulnerable System Impact Availability (MVA): High (H)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username
Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.
References
-
GitHub Security Advisory (GHSA-vv7r-2rhf-5h7g) vendor-advisory
-
https://www.vulncheck.com/advisories/ghidra-sql-injection-in-postgresql-passwor… third-party-advisory
Affected products
- <12.1
- ==12.1
Matching in nixpkgs
pkgs.ghidra
Software reverse engineering (SRE) suite of tools
pkgs.ghidra-bin
Software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
pkgs.rizinPlugins.rz-ghidra
Deep ghidra decompiler and sleigh disassembler integration for rizin
pkgs.cutterPlugins.rz-ghidra
Deep ghidra decompiler and sleigh disassembler integration for rizin
pkgs.ghidra-extensions.ret-sync
Reverse-Engineering Tools SYNChronization. Allows syncing between a debugging session and Ghidra
-
nixos-unstable 0-unstable-2024-05-29
- nixpkgs-unstable 0-unstable-2024-05-29
- nixos-unstable-small 0-unstable-2024-05-29
-
nixos-26.05 0-unstable-2024-05-29
- nixos-26.05-small 0-unstable-2024-05-29
- nixpkgs-26.05-darwin 0-unstable-2024-05-29
pkgs.python313Packages.pyghidra
Native CPython for Ghidra
pkgs.python314Packages.pyghidra
Native CPython for Ghidra
pkgs.python313Packages.ghidra-bridge
Python bridge to Ghidra's Python scripting
pkgs.python314Packages.ghidra-bridge
Python bridge to Ghidra's Python scripting
pkgs.ghidra-extensions.ghidra-firmware-utils
Ghidra utilities for analyzing PC firmware
-
nixos-unstable 2026.01.14
- nixpkgs-unstable 2026.01.14
- nixos-unstable-small 2026.01.14
-
nixos-26.05 2026.01.14
- nixos-26.05-small 2026.01.14
- nixpkgs-26.05-darwin 2026.01.14
pkgs.ghidra-extensions.ghidra-delinker-extension
Ghidra extension for delinking executables back to object files
pkgs.ghidra-extensions.ghidraninja-ghidra-scripts
Scripts for the Ghidra software reverse engineering suite
-
nixos-unstable 2020-10-07
- nixpkgs-unstable 2020-10-07
- nixos-unstable-small 2020-10-07
-
nixos-26.05 2020-10-07
- nixos-26.05-small 2020-10-07
- nixpkgs-26.05-darwin 2020-10-07
Package maintainers
-
@chayleaf Anna Pavlyuk <chayleaf-nix@pavluk.org>
-
@roblabla Robin Lambertz <robinlambertz+dev@gmail.com>
-
@vringar Stefan Zabka <git@zabka.it>
-
@ck3d Christian Kögler <ck3d@gmx.de>
-
@GovanifY Gauvain 'GovanifY' Roussel-Tarbouriech <gauvain@govanify.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@hexadecimalDinosaur Ivy Fan-Chiang <dev@ivyfanchiang.ca>
-
@jchv John Chadwick <johnwchadwick@gmail.com>
-
@timschumi Tim Schumacher <timschumi@gmx.de>
-
@spencerpogo Spencer Pogorzelski
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>