Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: tempo

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-28377
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    31 packages
    • temporal
    • tempora_lgc
    • temporalite
    • temporal-cli
    • temporal_capi
    • temporal-ui-server
    • gnomeExtensions.tempomate
    • haskellPackages.temporary
    • python312Packages.tempora
    • python313Packages.tempora
    • python314Packages.tempora
    • tests.haskell.incremental
    • haskellPackages.temporary-rc
    • python312Packages.temporalio
    • python313Packages.temporalio
    • python314Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • haskellPackages.temporal-api-protos
    • haskellPackages.temporary-resourcet
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql17Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • terraform-providers.temporalio_temporalcloud
    • haskellPackages.temporal-music-notation-western
    2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern)

A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability.

Affected products

Tempo
  • ==2.10.3

Matching in nixpkgs

pkgs.tempo

High volume, minimal dependency trace storage

Ignored packages (31)

pkgs.temporal

Microservice orchestration platform which enables developers to build scalable applications without sacrificing productivity or reliability

pkgs.tempora_lgc

Tempora font

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.temporal-cli

Command-line interface for running Temporal Server and interacting with Workflows, Activities, Namespaces, and other parts of Temporal

pkgs.temporal_capi

A Rust implementation of ECMAScript's Temporal API

Package maintainers

Upstream advisory: https://grafana.com/security/security-advisories/cve-2026-28377