Nixpkgs security tracker

Login with GitHub

Dismissed suggestions

These automatic suggestions were dismissed after initial triaging.

to select a suggestion for revision.

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-8349
2.1 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 weeks ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 weeks ago
omec-project amf NGAP Message memory corruption

A flaw has been found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGAP Message Handler. Executing a manipulation can lead to memory corruption. The attack can be launched remotely. The exploit has been published and may be used. This patch is called 8a4c33cdda866094f1989bdeff6d8642fce8de8435f89defd66831c97715f5aa. It is best practice to apply a patch to resolve this issue.

Affected products

amf
  • ==2.1.0
  • ==2.1.1

Matching in nixpkgs

pkgs.bamf

Application matching framework

pkgs.ramfetch

Tool which displays memory information

  • nixos-unstable 1.1.0a
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.cramfsswap

Swap endianess of a cram filesystem (cramfs)

Dismissed
(exclusively hosted service)
Permalink CVE-2026-33359
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 weeks ago Activity log
  • Created & dismissed (exclusively hosted service) suggestion 2 weeks ago
Meari unauthenticated alert image access in cloud object storage

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.

Affected products

Alibaba OSS Hosted
  • ==April, 2026
Dismissed
(not in Nixpkgs)
Permalink CVE-2021-47944
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 1 day ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 weeks ago
memono Notepad 4.2 Denial of Service via Buffer Overflow

memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.

Affected products

Notepad
  • ==4.2

Matching in nixpkgs

pkgs.notepad-next

Cross-platform, reimplementation of Notepad++

  • nixos-unstable 0.12
    • nixpkgs-unstable 0.12
    • nixos-unstable-small 0.12
  • nixos-25.11 0.12
    • nixos-25.11-small 0.12
    • nixpkgs-25.11-darwin 0.12

Package maintainers

Permalink CVE-2022-50958
5.1 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Active (A)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): Low (L)
  • Subsequent System Impact Integrity (SI): Low (L)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Active (A)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Low (L)
  • Modified Subsequent System Impact Integrity (MSI): Low (L)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 1 day ago
  • @LeSuisse ignored reference Product R… 2 weeks ago
  • @LeSuisse dismissed 2 weeks ago
WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php

WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.

Affected products

Jetpack
  • ==9.1

Matching in nixpkgs

It impacts old versions, current stable branch was never impacted
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42354
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @mweinelt ignored
    14 packages
    • sentry-cli
    • sentry-native
    • terraform-providers.sentry
    • python312Packages.sentry-sdk
    • python312Packages.typesentry
    • python313Packages.sentry-sdk
    • python313Packages.typesentry
    • python314Packages.sentry-sdk
    • python312Packages.policy-sentry
    • python313Packages.policy-sentry
    • python314Packages.policy-sentry
    • terraform-providers.jianyuan_sentry
    • home-assistant-component-tests.sentry
    • grafanaPlugins.grafana-sentry-datasource
    2 weeks, 1 day ago
  • @mweinelt dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Sentry: Improper authentication on SAML SSO process allows user identity linking

Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. This issue has been patched in version 26.4.1.

Affected products

sentry
  • ==>= 21.12.0, < 26.4.1
Ignored packages (14)
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42276
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @mweinelt ignored
    10 packages
    • onyx
    • fontcronyxcyrillic
    • font-cronyx-cyrillic
    • xorg.fontcronyxcyrillic
    • python312Packages.ekey-bionyxpy
    • python313Packages.ekey-bionyxpy
    • python314Packages.ekey-bionyxpy
    • typstPackages.onyx-itu-unofficial
    • typstPackages.onyx-itu-unofficial_0_1_0
    • home-assistant-component-tests.ekeybionyx
    2 weeks, 1 day ago
  • @mweinelt dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Onyx: IDOR in /chat/stop-chat-session allows any authenticated user to interrupt other users chat sessions

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An attacker who knows a chat session UUID can kill another user's LLM generation mid-stream. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.

Affected products

onyx
  • ==< 3.0.9
  • ==>= 3.1.0, < 3.1.6
  • ==>= 3.2.0, < 3.2.6
Ignored packages (10)
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42205
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @mweinelt ignored
    17 packages
    • havoc
    • avocode
    • flavours
    • avogadro2
    • endeavour
    • pavolctld
    • avogadrolibs
    • python312Packages.bitvavo-aio
    • python313Packages.bitvavo-aio
    • python314Packages.bitvavo-aio
    • gnomeExtensions.favorites-menu
    • gnomeExtensions.panel-favorites
    • gnomeExtensions.fullscreen-avoider
    • gnomeExtensions.show-favorite-apps
    • python312Packages.django-localflavor
    • python313Packages.django-localflavor
    • python314Packages.django-localflavor
    2 weeks, 1 day ago
  • @mweinelt dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Affected products

avo
  • ==< 3.31.2
Ignored packages (17)

pkgs.havoc

Minimal terminal emulator for Wayland

pkgs.flavours

Easy to use base16 scheme manager/builder that integrates with any workflow

pkgs.endeavour

Personal task manager for GNOME

  • nixos-unstable 43.0
    • nixpkgs-unstable 43.0
    • nixos-unstable-small 43.0
  • nixos-25.11 43.0
    • nixos-25.11-small 43.0
    • nixpkgs-25.11-darwin 43.0

pkgs.pavolctld

Minimal volume control/monitoring daemon for PulseAudio and PipeWire

pkgs.gnomeExtensions.favorites-menu

Minimalist favorites menu button in top panel.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2
  • nixos-25.11 2
    • nixos-25.11-small 2
    • nixpkgs-25.11-darwin 2

pkgs.gnomeExtensions.fullscreen-avoider

Moves the top panel to the secondary monitor if the primary is in fullscreen

  • nixos-unstable 15
    • nixpkgs-unstable 15
    • nixos-unstable-small 15
  • nixos-25.11 15
    • nixos-25.11-small 15
    • nixpkgs-25.11-darwin 15
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42277
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @mweinelt ignored
    10 packages
    • onyx
    • fontcronyxcyrillic
    • font-cronyx-cyrillic
    • xorg.fontcronyxcyrillic
    • python312Packages.ekey-bionyxpy
    • python313Packages.ekey-bionyxpy
    • python314Packages.ekey-bionyxpy
    • typstPackages.onyx-itu-unofficial
    • typstPackages.onyx-itu-unofficial_0_1_0
    • home-assistant-component-tests.ekeybionyx
    2 weeks, 1 day ago
  • @mweinelt dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Onyx: IDOR in /chat/file/{file_id} allows any authenticated user to download other users files

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.

Affected products

onyx
  • ==< 3.0.9
  • ==>= 3.1.0, < 3.1.6
  • ==>= 3.2.0, < 3.2.6
Ignored packages (10)
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42137
7.1 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

Affected products

kirby
  • ==< 4.9.0
  • ==>= 5.0.0, < 5.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-42295
8.5 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse dismissed 2 weeks, 1 day ago
Argo Workflows: Exposure of artifact repository credentials

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5.

Affected products

argo-workflows
  • ==>= 4.0.0, < 4.0.5

Matching in nixpkgs

Package maintainers

No impacted version in nixpkgs.