Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2024-12087
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Rsync: path traversal vulnerability in rsync

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

References

Affected products

rhcos
rsync
  • =<3.3.0
  • *
discovery/discovery-ui-rhel9
  • *
registry.redhat.io/discovery/discovery-ui-rhel9
  • *

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

  • nixos-unstable -

pkgs.grsync

Synchronize folders, files and make backups

  • nixos-unstable -

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

  • nixos-unstable -

pkgs.rsyncy

Progress bar wrapper for rsync

  • nixos-unstable -

pkgs.librsync

Implementation of the rsync remote-delta algorithm

  • nixos-unstable -

pkgs.diskrsync

Rsync for block devices and disk images

  • nixos-unstable -

pkgs.ethersync

Real-time co-editing of local text files

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-12088
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Rsync: --safe-links option bypass leads to path traversal

A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

References

Affected products

rhcos
rsync
  • =<3.3.0
  • *
discovery/discovery-ui-rhel9
  • *
registry.redhat.io/discovery/discovery-ui-rhel9
  • *

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

  • nixos-unstable -

pkgs.grsync

Synchronize folders, files and make backups

  • nixos-unstable -

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

  • nixos-unstable -

pkgs.rsyncy

Progress bar wrapper for rsync

  • nixos-unstable -

pkgs.librsync

Implementation of the rsync remote-delta algorithm

  • nixos-unstable -

pkgs.diskrsync

Rsync for block devices and disk images

  • nixos-unstable -

pkgs.ethersync

Real-time co-editing of local text files

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-56827
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Openjpeg: heap buffer overflow in lib/openjp2/j2k.c

A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior.

References

Affected products

openjpeg
  • *
openjpeg2
  • *
gimp:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-56826
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Openjpeg: heap buffer overflow in bin/common/color.c

A flaw was found in the OpenJPEG project. A heap buffer overflow condition may be triggered when certain options are specified while using the opj_decompress utility. This can lead to an application crash or other undefined behavior.

References

Affected products

openjpeg
  • *
openjpeg2
  • *
gimp:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-1907
8.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Pgadmin: users authenticated simultaneously via ldap may be attached to the wrong session

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

References

Affected products

pgadmin
  • <7.0

Matching in nixpkgs

pkgs.pgadmin

Administration and development platform for PostgreSQL

  • nixos-unstable -

pkgs.pgadmin4

Administration and development platform for PostgreSQL

  • nixos-unstable -

pkgs.pgadmin4-desktopmode

Administration and development platform for PostgreSQL. Desktop Mode

  • nixos-unstable -

Package maintainers

Permalink CVE-2025-22534
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ella van Durpe Slides & Presentations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slides & Presentations: from n/a through 0.0.39.

References

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

  • nixos-unstable -

pkgs.openslide

C library that provides a simple interface to read whole-slide images

  • nixos-unstable -

pkgs.manim-slides

Tool for live presentations using manim

  • nixos-unstable -

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

  • nixos-unstable -
    • nixpkgs-unstable 13

Package maintainers

Permalink CVE-2025-22511
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Slides & Presentations Plugin <= 0.0.39 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ella van Durpe Slides & Presentations allows Stored XSS.This issue affects Slides & Presentations: from n/a through 0.0.39.

References

Affected products

slide
  • =<0.0.39

Matching in nixpkgs

pkgs.slides

Terminal based presentation tool

  • nixos-unstable -

pkgs.openslide

C library that provides a simple interface to read whole-slide images

  • nixos-unstable -

pkgs.manim-slides

Tool for live presentations using manim

  • nixos-unstable -

pkgs.dvd-slideshow

Suite of command line programs that creates a slideshow-style video from groups of pictures

pkgs.gnomeExtensions.night-light-slider-updated

Kiyui's Night Light Slider updated for GNOME 45. Provides a slider in the quick settings menu to control the night light temperature. Some nice options can be set in the extension preferences menu. Original implementation: https://codeberg.org/kiyui/gnome-shell-night-light-slider-extension/

  • nixos-unstable -
    • nixpkgs-unstable 13

Package maintainers

Permalink CVE-2024-56297
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Highlight plugin <= 2.0.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dn88 Highlight allows Stored XSS.This issue affects Highlight: from n/a through 2.0.2.

References

Affected products

highlight
  • =<2.0.2

Matching in nixpkgs

pkgs.highlight

Source code highlighting tool

  • nixos-unstable -

pkgs.kohighlights

Utility for viewing and/or exporting KOReader's highlights

pkgs.gnomeExtensions.preedit-highlight-popup

Waylandセッション向け日本語入力補助ツールです。かな漢字変換時に未確定文字列を表示するポップアップを追加します。ポップアップ内では変換範囲が太字かつ下線つきで表示されるので、変換範囲の指定が簡単になります。

  • nixos-unstable -
    • nixpkgs-unstable 2
Permalink CVE-2024-56276
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2.

References

Affected products

wpforms-lite
  • =<1.9.2.2

Matching in nixpkgs

Permalink CVE-2023-6596
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Openshift: incomplete fix for rapid reset (cve-2023-44487/cve-2023-39325)

An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers.

References

Affected products

openshift
  • <4.11.58
  • <4.12.48
openshift4/ose-olm-rukpak-rhel8
openshift4/ose-operator-lifecycle-manager
  • *

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers