Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged

Filter by:

With package: prometheus-aws-s3-exporter

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-32265

created 4 days, 15 hours ago

Amazon S3 for Craft CMS has an Information Disclosure vulnerability

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.

References

https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9 x_refsource_CONFIRM
https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f x_refsource_MISC

Affected products

aws-s3

==>= 2.0.2, < 2.2.5

Matching in nixpkgs

pkgs.prometheus-aws-s3-exporter

Exports Prometheus metrics about S3 buckets and objects

nixos-unstable s3-exporter-0.5.0
- nixpkgs-unstable s3-exporter-0.5.0
- nixos-unstable-small s3-exporter-0.5.0
nixos-25.11 s3-exporter-0.5.0
- nixos-25.11-small s3-exporter-0.5.0
- nixpkgs-25.11-darwin s3-exporter-0.5.0

Package maintainers

@mmahut Marek Mahut <marek.mahut@gmail.com>

1