Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: podman-desktop

Found 4 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-34045
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 week, 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 1 day ago
  • @LeSuisse accepted 1 week, 1 day ago
  • @LeSuisse published on GitHub 1 week, 1 day ago
Podman Desktop WebView Server Exposed

Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2.

Affected products

podman-desktop
  • ==< 1.26.2

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2025-11065
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 2 months, 2 weeks ago
Github.com/go-viper/mapstructure/v2: go-viper's mapstructure may leak sensitive information in logs in github.com/go-viper/mapstructure

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Affected products

podman
toolbox
openshift
microshift
gvisor-tap-vsock
rhtas/cosign-rhel9
rhtas/fulcio-rhel9
devspaces/udi-rhel9
rhtas/gitsign-rhel9
rhtas/rekor-cli-rhel9
devspaces/traefik-rhel9
opentelemetry-collector
devspaces/udi-base-rhel9
rhacm2/acm-grafana-rhel9
rhoai/odh-rhel9-operator
rhtas/rekor-server-rhel9
openshift-pipelines-client
openshift4/ose-helm-operator
redhat-certification-preflight
rhoai/odh-model-registry-rhel9
openshift-gitops-1/argocd-rhel8
openshift-gitops-1/argocd-rhel9
rhtas/timestamp-authority-rhel9
rhacm2/submariner-rhel9-operator
rhtas/rekor-backfill-redis-rhel9
openshift4/ose-helm-rhel9-operator
github.com/go-viper/mapstructure/v2
  • <2.4.0
rhosdt/opentelemetry-collector-rhel8
rhtap-task-runner/rhtap-task-runner-rhel9
advanced-cluster-security/rhacs-main-rhel8
advanced-cluster-security/rhacs-roxctl-rhel8
advanced-cluster-security/rhacs-rhel8-operator
advanced-cluster-security/rhacs-central-db-rhel8
advanced-cluster-security/rhacs-scanner-v4-rhel8
advanced-cluster-security/rhacs-scanner-v4-db-rhel8
zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9
zero-trust-workload-identity-manager/spiffe-spire-server-rhel9
zero-trust-workload-identity-manager/spiffe-spire-oidc-discovery-provider-rhel9
zero-trust-workload-identity-manager/zero-trust-workload-identity-manager-rhel9

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

pkgs.bctoolbox

Utilities library for Linphone

pkgs.lttoolbox

Finite state compiler, processor and helper tools used by apertium

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

pkgs.devtoolbox

Development tools at your fingertips

pkgs.podman-compose

Implementation of docker-compose with podman backend

Package maintainers

Untriaged
Permalink CVE-2025-9566
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 4 weeks ago
Podman: podman kube play command may overwrite host files

There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1

References

Affected products

pytz
  • *
babel
  • *
cri-o
  • *
rhcos
  • *
future
  • *
kernel
  • *
podman
  • <5.6.1
  • *
poetry
  • *
pysnmp
  • *
pytest
  • *
subunit
  • *
toolbox
  • *
pyflakes
  • *
wasmedge
  • *
cri-tools
  • *
kernel-rt
  • *
openshift
  • *
pyOpenSSL
  • *
pyparsing
  • *
python-py
  • *
python-ddt
  • *
python-dns
  • *
python-m2r
  • *
python-pbr
  • *
python-smi
  • *
python-tox
  • *
python-amqp
  • *
python-case
  • *
python-cleo
  • *
python-cmd2
  • *
python-flit
  • *
python-idna
  • *
python-lark
  • *
python-mako
  • *
python-mock
  • *
python-nose
  • *
python-pint
  • *
python-sure
  • *
python-toml
  • *
python-tooz
  • *
python-vine
  • *
python-zake
  • *
python-zipp
  • *
pysnmpcrypto
  • *
python-attrs
  • *
python-build
  • *
python-cachy
  • *
python-click
  • *
python-cliff
  • *
python-flask
  • *
python-gabbi
  • *
python-kafka
  • *
python-kazoo
  • *
python-kombu
  • *
python-munch
  • *
python-paste
  • *
python-pecan
  • *
python-redis
  • *
python-sushy
  • *
python-tomli
  • *
python-webob
  • *
python-wrapt
  • *
python-yappi
  • *
python-apipkg
  • *
python-bcrypt
  • *
python-editor
  • *
python-extras
  • *
python-flake8
  • *
python-gevent
  • *
python-ifaddr
  • *
python-jinja2
  • *
python-libcst
  • *
python-mccabe
  • *
python-pep517
  • *
python-pluggy
  • *
python-psutil
  • *
python-pyasn1
  • *
python-pycadf
  • *
python-pycurl
  • *
python-pyghmi
  • *
python-pyudev
  • *
python-routes
  • *
python-sphinx
  • *
python-statsd
  • *
python-stestr
  • *
python-alembic
  • *
python-appdirs
  • *
python-betamax
  • *
python-certifi
  • *
python-chardet
  • *
python-cheroot
  • *
python-distlib
  • *
python-dulwich
  • *
python-execnet
  • *
python-hacking
  • *
python-inotify
  • *
python-iso8601
  • *
python-jeepney
  • *
python-keyring
  • *
python-migrate
  • *
python-mistune
  • *
python-msgpack
  • *
python-netaddr
  • *
python-osc-lib
  • *
python-oslo-db
  • *
python-pexpect
  • *
python-pkginfo
  • *
python-portend
  • *
python-pretend
  • *
python-pycdlib
  • *
python-rfc3986
  • *
python-tempita
  • *
python-tempora
  • *
python-tomli-w
  • *
python-tornado
  • *
python-trustme
  • *
python-warlock
  • *
python-wcwidth
  • *
python-webtest
  • *
python3.12-six
  • *
dbus-python3.12
  • *
kata-containers
  • *
pysnmp-lextudio
  • *
python-autopage
  • *
python-colorama
  • *
python-coverage
  • *
python-docutils
  • *
python-eventlet
  • *
python-filelock
  • *
python-fixtures
  • *
python-funcsigs
  • *
python-futurist
  • *
python-greenlet
  • *
python-gunicorn
  • *
python-html5lib
  • *
python-httplib2
  • *
python-iniparse
  • *
python-jmespath
  • *
python-kerberos
  • *
python-logutils
  • *
python-oauthlib
  • *
python-oslo-log
  • *
python-oslotest
  • *
python-pathspec
  • *
python-pygments
  • *
python-requests
  • *
python-retrying
  • *
python-sqlparse
  • *
python-tenacity
  • *
python-testpath
  • *
python-waitress
  • *
python-werkzeug
  • *
python-zeroconf
  • *
python3.12-mypy
  • *
openstack-macros
  • *
python-automaton
  • *
python-construct
  • *
python-crashtest
  • *
python-decorator
  • *
python-editables
  • *
python-fasteners
  • *
python-freezegun
  • *
python-hatch-vcs
  • *
python-hatchling
  • *
python-httpretty
  • *
python-imagesize
  • *
python-jsonpatch
  • *
python-memcached
  • *
python-mimeparse
  • *
python-monotonic
  • *
python-os-traits
  • *
python-oslo-i18n
  • *
python-packaging
  • *
python-pyperclip
  • *
python-soupsieve
  • *
python-stevedore
  • *
python-testtools
  • *
python-typeguard
  • *
python-uhashring
  • *
python-xmlschema
  • *
container-selinux
  • *
openshift-ansible
  • *
openshift-clients
  • *
python-cachetools
  • *
python-defusedxml
  • *
python-dracclient
  • *
python-hypothesis
  • *
python-jsonschema
  • *
python-kiwisolver
  • *
python-linecache2
  • *
python-markupsafe
  • *
python-oslo-cache
  • *
python-oslo-utils
  • *
python-osprofiler
  • *
python-ptyprocess
  • *
python-pyasyncore
  • *
python-pymemcache
  • *
python-pyrsistent
  • *
python-pytest-cov
  • *
python-repoze-lru
  • *
python-rst-linker
  • *
python-simplejson
  • *
python-sqlalchemy
  • *
python-traceback2
  • *
python-virtualenv
  • *
python-voluptuous
  • *
python-websockify
  • *
python-zombie-imp
  • *
python-zope-event
  • *
python3.12-pyyaml
  • *
openshift4-aws-iso
  • *
python-contextlib2
  • *
python-elementpath
  • *
python-jaraco-text
  • *
python-jsonpath-rw
  • *
python-jsonpointer
  • *
python-oslo-config
  • *
python-oslo-policy
  • *
python-poetry-core
  • *
python-prettytable
  • *
python-pycodestyle
  • *
python-pytest-mock
  • *
python-shellingham
  • *
devspaces/udi-rhel9
  • *
python-atomicwrites
  • *
python-cinderclient
  • *
python-glanceclient
  • *
python-hypothesmith
  • *
python-ironicclient
  • *
python-itsdangerous
  • *
python-openstacksdk
  • *
python-oslo-context
  • *
python-oslo-metrics
  • *
python-oslo-service
  • *
python-paste-deploy
  • *
python-platformdirs
  • *
python-pytest-xdist
  • *
python-smi-lextudio
  • *
python-webencodings
  • *
python-zope-testing
  • *
python3.12-dateutil
  • *
python-SecretStorage
  • *
python-async-timeout
  • *
python-debtcollector
  • *
python-dogpile-cache
  • *
python-keystoneauth1
  • *
python-oslo-rootwrap
  • *
python-pyproject-api
  • *
python-pytest-forked
  • *
python-pytest-runner
  • *
python-requests-mock
  • *
python-simplegeneric
  • *
python-testresources
  • *
python-testscenarios
  • *
container-tools:rhel8
  • *
python-beautifulsoup4
  • *
python-jaraco-classes
  • *
python-jaraco-context
  • *
python-keystoneclient
  • *
python-more-itertools
  • *
python-oslo-messaging
  • *
python-pytest-asyncio
  • *
python-pytest-timeout
  • *
python-setuptools_scm
  • *
python-singledispatch
  • *
python-testrepository
  • *
python-typing-inspect
  • *
python-wsgi_intercept
  • *
python-zope-interface
  • *
ephemeral-port-reserve
  • *
python-jsonpath-rw-ext
  • *
python-mypy_extensions
  • *
python-oslo-middleware
  • *
python-pyproject-hooks
  • *
python-pytest-xprocess
  • *
python-snowballstemmer
  • *
python-tox-current-env
  • *
python-binary-memcached
  • *
python-jaraco-functools
  • *
python-jaraco-packaging
  • *
python-os-client-config
  • *
python-os-service-types
  • *
python-oslo-concurrency
  • *
python-service-identity
  • *
python-sortedcontainers
  • *
python-sphinx_rtd_theme
  • *
devspaces/udi-base-rhel9
  • *
python-oslo-upgradecheck
  • *
python-prometheus_client
  • *
python-railroad-diagrams
  • *
python-requests-kerberos
  • *
python-requests-toolbelt
  • *
python-trove-classifiers
  • *
python-typing-extensions
  • *
python-keystonemiddleware
  • *
python-microversion-parse
  • *
python-openstackdocstheme
  • *
python-oslo-serialization
  • *
python-requestsexceptions
  • *
python-pytest-lazy-fixture
  • *
python-requests-unixsocket
  • *
python-pytest-rerunfailures
  • *
python-sphinxcontrib-jquery
  • *
python-sphinxcontrib-jsmath
  • *
python-sphinxcontrib-qthelp
  • *
container-tools:rhel8/podman
python-oslo-versionedobjects
  • *
python-sphinxcontrib-devhelp
  • *
python-sphinx-theme-alabaster
  • *
python-sphinxcontrib-htmlhelp
  • *
python-hatch-fancy-pypi-readme
  • *
python-sphinxcontrib-applehelp
  • *
python-sphinxcontrib-httpdomain
  • *
python-ironic-prometheus-exporter
  • *
python-sphinxcontrib-serializinghtml
  • *
ose-aws-ecr-image-credential-provider
  • *
ose-gcp-gcr-image-credential-provider
  • *
ose-azure-acr-image-credential-provider
  • *

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.podman-tui

Podman Terminal UI

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers

Untriaged
Permalink CVE-2025-6032
8.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 4 weeks ago
Podman: podman missing tls verification

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

References

Affected products

rhcos
  • *
podman
  • <5.5.2
  • *
container-tools:rhel8
  • *
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.podman-tui

Podman Terminal UI

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers