Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2024-12840
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
Http proxies: satellite: service side request forgery in http proxies

A server-side request forgery exists in Satellite. When a PUT HTTP request is made to /http_proxies/test_connection, when supplied with the http_proxies variable set to localhost, the attacker can fetch the localhost banner.

References

Affected products

security

Matching in nixpkgs

pkgs.paretosecurity

Agent that makes sure your laptop is correctly configured for security

  • nixos-unstable -

pkgs.xml-security-c

C++ Implementation of W3C security standards for XML

  • nixos-unstable -

pkgs.modsecurity-crs

The OWASP ModSecurity Core Rule Set is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-37962
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Fusion Page Builder plugin <= 1.6.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Agency Dominion Fusion allows Stored XSS.This issue affects Fusion: from n/a through 1.6.1.

References

Affected products

fusion
  • =<1.6.1

Matching in nixpkgs

pkgs.lxgw-fusionkai

Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One

  • nixos-unstable -

pkgs.finalfusion-utils

Utility for converting, quantizing, and querying word embeddings

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-54350
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress hmd theme <= 2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HJYL hmd allows Stored XSS.This issue affects hmd: from n/a through 2.0.

References

Affected products

hmd
  • =<2.0

Matching in nixpkgs

pkgs.openhmd

Library API and drivers immersive technology

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-11614
created 6 months ago
Dpdk: denial of service from malicious guest on hypervisors using dpdk vhost library

An out-of-bounds read vulnerability was found in DPDK's Vhost library checksum offload feature. This issue enables an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors to cause out-of-bounds reads. This flaw allows an attacker with a malicious VM using a virtio driver to cause the vhost-user side to crash by sending a packet with a Tx checksum offload request and an invalid csum_start offset.

References

Affected products

dpdk
  • <21.11-4
  • *
openvswitch
openvswitch3.0
openvswitch3.1
  • *
openvswitch3.2
openvswitch3.3
  • *
openvswitch3.4
  • *
openvswitch2.10
openvswitch2.11
openvswitch2.12
openvswitch2.13
openvswitch2.15
openvswitch2.16
openvswitch2.17

Matching in nixpkgs

pkgs.dpdk

Set of libraries and drivers for fast packet processing

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-56059
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Partners plugin <= 0.2.0 - PHP Object Injection vulnerability

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mighty Digital Partners allows Object Injection.This issue affects Partners: from n/a through 0.2.0.

References

Affected products

partners
  • =<0.2.0

Matching in nixpkgs

Permalink CVE-2024-10973
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Keycloak: cli option for encrypted jgroups ignored

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

References

Affected products

keycloak
  • *
  • <25.0
  • <23.0
org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-55986
8.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress Service plugin <= 1.0.4 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in serviceonline Service allows Blind SQL Injection.This issue affects Service: from n/a through 1.0.4.

References

Affected products

service
  • =<1.0.4

Matching in nixpkgs

pkgs.lk-jwt-service

Minimal service to issue LiveKit JWTs for MatrixRTC

  • nixos-unstable -

pkgs.accountsservice

D-Bus interface for user account query and manipulation

pkgs.service-wrapper

Convenient wrapper for the systemctl commands, borrow from Ubuntu

  • nixos-unstable -

pkgs.lomiri.hfd-service

DBus-activated service that manages human feedback devices such as LEDs and vibrators on mobile devices

  • nixos-unstable -

pkgs.java-service-wrapper

Enables a Java Application to be run as a Windows Service or Unix Daemon

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-54348
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Brandy theme <= 1.1.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YayCommerce Brand allows Stored XSS.This issue affects Brand: from n/a through 1.1.6.

References

Affected products

brand
  • =<1.1.6

Matching in nixpkgs

pkgs.matrix-brandy

Matrix Brandy BASIC VI for Linux, Windows, MacOSX

  • nixos-unstable -

pkgs.librandombytes

Simple API for applications generating fresh randomness

Package maintainers

Permalink CVE-2024-54368
9.6 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress GitSync plugin <= 1.1.0 - CSRF to Remote Code Execution vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garza, Jr. GitSync allows Code Injection.This issue affects GitSync: from n/a through 1.1.0.

References

Affected products

git-sync
  • =<1.1.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-54384
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
WordPress Falcon – WordPress Optimizations & Tweaks plugin <= 2.8.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in eLightUp Falcon – WordPress Optimizations & Tweaks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Falcon – WordPress Optimizations & Tweaks: from n/a through 2.8.3.

References

Affected products

falcon
  • =<2.8.3

Matching in nixpkgs

Package maintainers