Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2024-41937
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
Apache Airflow: Stored XSS Vulnerability on provider link

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

References

Affected products

apache-airflow
  • <2.10.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-37099
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress GiveWP plugin <= 3.14.1 - Unauthenticated PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.

References

Affected products

give
  • =<3.14.1
givewp
  • =<3.14.1

Matching in nixpkgs

Permalink CVE-2024-43282
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress Tutor LMS plugin <= 2.7.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.2.

References

Affected products

tutor
  • =<2.7.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-43318
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress E2Pdf – Export To Pdf Tool for WordPress plugin <= 1.25.05 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in E2Pdf.Com allows Stored XSS.This issue affects e2pdf: from n/a through 1.25.05.

References

Affected products

e2pdf
  • =<1.25.05

Matching in nixpkgs

Permalink CVE-2024-43321
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
updated 3 weeks, 4 days ago by @anthonyroussel Activity log
  • Created automatic suggestion 6 months ago
  • @anthonyroussel removed
    4 packages
    • steampipe
    • steampipePackages.steampipe-plugin-aws
    • steampipePackages.steampipe-plugin-github
    • steampipePackages.steampipe-plugin-azure
    3 weeks, 4 days ago
WordPress Team Showcase plugin <= 1.22.23 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS.This issue affects Team Showcase: from n/a through 1.22.23.

References

Affected products

team
  • =<1.22.23

Matching in nixpkgs

pkgs.steam

Digital distribution platform

pkgs.git-team

Command line interface for managing and enhancing git commit messages with co-authors

  • nixos-unstable -

pkgs.teamocil

Simple tool used to automatically create windows and panes in tmux with YAML files

  • nixos-unstable -

pkgs.steam-acf

Tool to convert Steam .acf files to JSON

  • nixos-unstable -

pkgs.steam-run

Run commands in the same FHS environment that is used for Steam

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.steam-tui

Rust TUI client for steamcmd

  • nixos-unstable -

pkgs.steamback

Decky plugin to add versioned save-game snapshots to Steam-cloud enabled games

  • nixos-unstable -

pkgs.steamworks

Configuration information distributed over LDAP in near realtime

  • nixos-unstable -

pkgs.teamspeak3

TeamSpeak voice communication tool

  • nixos-unstable -

pkgs.teamviewer

Desktop sharing application, providing remote support and online meetings

pkgs.adwsteamgtk

Simple Gtk wrapper for Adwaita-for-Steam

  • nixos-unstable -

pkgs.ArchiSteamFarm

Application with primary purpose of idling Steam cards from multiple accounts simultaneously

pkgs.steam-run-free

Run commands in the same FHS environment that is used for Steam

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.steamguard-cli

Linux utility for generating 2FA codes for Steam and managing Steam trade confirmations

  • nixos-unstable -

pkgs.steam-play-none

Steam Play Compatibility Tool to run games as-is (This is intended for use in the `programs.steam.extraCompatPackages` option only.)

pkgs.steam-run-native

Run commands in the same FHS environment that is used for Steam

  • nixos-unstable -
    • nixpkgs-unstable
Ignored packages (4)

pkgs.steampipe

Dynamically query your cloud, code, logs & more with SQL

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-21981
5.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Improper key usage control in AMD Secure Processor (ASP) may …

Improper key usage control in AMD Secure Processor (ASP) may allow an attacker with local access who has gained arbitrary code execution privilege in ASP to extract ASP cryptographic keys, potentially resulting in loss of confidentiality and integrity.

References

Affected products

PI
  • ==various
epyc
  • *
ryzen
  • *
athlon
  • *
AMD EPYC™ 7002 Series Processors
  • ==various
AMD EPYC™ 7003 Series Processors
  • ==various
AMD EPYC™ Embedded 3000 Series Processors
  • ==various
AMD EPYC™ Embedded 7002 Series Processors
  • ==various
AMD EPYC™ Embedded 7003 Series Processors
  • ==various
AMD Ryzen™ 3000 Series Desktop Processors
  • ==various
AMD Ryzen™ 5000 Series Desktop Processors
  • ==various
AMD Ryzen™ Embedded 5000 Series Processors
  • ==various
AMD Ryzen™ Embedded R1000 Series Processors
  • ==various
AMD Ryzen™ Embedded R2000 Series Processors
  • ==various
AMD Ryzen™ Embedded V1000 Series Processors
  • ==various
AMD Ryzen™ Threadripper™ PRO 5000WX Processors
  • ==various
AMD Ryzen™ Threadripper™ 3000 Series Processors
  • ==various
AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
  • ==various
AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics
  • ==various
AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
  • ==various
AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
  • ==various
AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics
  • ==various
AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

  • nixos-unstable -
Permalink CVE-2021-26387
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
Insufficient access controls in ASP kernel may allow a privileged …

Insufficient access controls in ASP kernel may allow a privileged attacker with access to AMD signing keys and the BIOS menu or UEFI shell to map DRAM regions in protected areas, potentially leading to a loss of platform integrity.

References

Affected products

PI
  • ==various
AMD EPYC™ 7002 Series Processors
  • ==various
AMD EPYC™ 7003 Series Processors
  • ==various
AMD EPYC™ 9004 Series Processors
  • ==various
AMD EPYC™ Embedded 3000 Series Processors
  • ==various
AMD EPYC™ Embedded 7002 Series Processors
  • ==various
AMD EPYC™ Embedded 7003 Series Processors
  • ==various
AMD EPYC™ Embedded 9003 Series Processors
  • ==various
AMD Ryzen™ 3000 Series Desktop Processors
  • ==ComboAM4PI 1.0.0.9
  • ==ComboAM4 V2 PI 1.2.0.8
AMD Ryzen™ 5000 Series Desktop Processors
  • ==ComboAM4 V2 PI 1.2.0.8
AMD Ryzen™ 7000 Series Desktop Processors
  • ==ComboAM5 1.0.8.0
AMD Ryzen™ Embedded 5000 Series Processors
  • ==EmbAM4PI 1.0.0.2
AMD Ryzen™ Embedded R1000 Series Processors
  • ==EmbeddedPI-FP5 1.2.0.A
AMD Ryzen™ Embedded R2000 Series Processors
  • ==EmbeddedR2KPI-FP5 1.0.0.2
AMD Ryzen™ Embedded V1000 Series Processors
  • ==EmbeddedPI-FP5 1.2.0.A
AMD Ryzen™ Embedded V2000 Series Processors
  • ==EmbeddedPI-FP6 1.0.0.6
AMD Ryzen™ Embedded V3000 Series Processors
  • ==EmbeddedPI-FP7r2 1.0.0.9
AMD Ryzen™ Threadripper™ PRO 5000WX Processors
  • ==ChagallWSPI-sWRX8 1.0.0.2
AMD Ryzen™ Threadripper™ 3000 Series Processors
  • ==CastlePeakPI-SP3r3 1.0.0.7
AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
  • ==ChagallWSPI-sWRX8 1.0.0.2
  • ==CastlePeakWSPI-sWRX8 1.0.0.9
AMD Ryzen™ 3000 Series Processors with Radeon™ Graphics
  • ==CezannePI-FP6 1.0.0.9
AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics
  • ==CezannePI-FP6 1.0.0.9
AMD Ryzen™ 6000 Series Processors with Radeon™ Graphics
  • ==RembrandtPI-FP7 1.0.0.9b
AMD Ryzen™ 7035 Series Processors with Radeon™ Graphics
  • ==RembrandtPI-FP7 1.0.0.9b
AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics
  • ==PicassoPI-FP5 1.0.0.E
AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
  • ==RenoirPI-FP6 1.0.0.8
AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
  • ==ComboAM4v2 PI 1.2.0.6
AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics
  • ==CezannePI-FP6 1.0.0.9
  • ==CezannePI-FP6 1.0.0.9
AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics
  • ==ComboAM4v2 PI 1.2.0.5
AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics
  • ==ComboAM4v2 PI 1.2.0.8
  • ==ComboAM4PI 1.0.0.9
AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
  • ==PollockPI-FT5 1.0.0.4
  • ==PicassoPI-FP5 1.0.0.E

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

  • nixos-unstable -
Permalink CVE-2023-20578
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with …

A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with ring0 privileges and access to the BIOS menu or UEFI shell to modify the communications buffer potentially resulting in arbitrary code execution.

References

Affected products

PI
  • ==NaplesPI 1.0.0.K
epyc_7001
  • ==1.0.0.k
epyc_7002
  • ==1.0.0.g
epyc_9004
  • ==1.0.0.2
epyc_embedded_3000
  • ==1.1.0.a
epyc_embedded_7002
  • ==1.0.0.a
epyc_embedded_7003
  • ==1.0.0.7
epyc_embedded_9003
  • ==1.0.0.0
ryzen_embedded_7000
  • ==1.0.0.0
ryzen_embedded_v3000
  • ==1.0.0.8
AMD EPYC™ Embedded 3000
  • ==SnowyOwl PI 1.1.0.A
AMD EPYC™ Embedded 7002
  • ==EmbRomePI-SP3 1.0.0.A
AMD EPYC™ Embedded 7003
  • ==EmbMilanPI-SP3 1.0.0.7
AMD EPYC™ Embedded 9003
  • ==EmbGenoaPI-SP5 1.0.0.0
AMD RyzenTM Embedded V3000
  • ==EmbeddedPI-FP7r2 1.0.0.8
AMD Ryzen™ Embedded 7000
  • ==EmbeddedAM5PI 1.0.0.0
AMD EPYC™ 7002 Processors
  • ==RomePI 1.0.0.G
AMD EPYC™ 7003 Processors
  • ==MilanPI 1.0.0.B
AMD EPYC™ 9004 Processors
  • ==GenoaPI 1.0.0.2
AMD Ryzen™ 7000 Series Desktop Processors
  • ==ComboAM5 1.0.0.1
AMD Ryzen™ Threadripper™ PRO 5000WX Processors
  • ==ChagallWSPI-sWRX8 1.0.0.7
AMD Ryzen™ 6000 Series Processors with Radeon™ Graphics
  • ==RembrandtPI-FP7 1.0.0.9b
AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics
  • ==MendocinoPI-FT6 1.0.0.0
AMD Ryzen™ 7035 Series Processors with Radeon™ Graphics
  • ==RembrandtPI-FP7 1.0.0.9b

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

  • nixos-unstable -
Permalink CVE-2024-43231
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Tutor LMS plugin <= 2.7.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.3.

References

Affected products

tutor
  • =<2.7.3

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-7700
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Foreman: command injection in "host init config" template via "install packages" field on foreman

A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing unauthorized command execution during host registration. Although this issue requires user interaction to execute injected commands, it poses a significant risk if an unsuspecting user runs the generated registration script.

References

Affected products

foreman

Matching in nixpkgs

pkgs.foreman

Process manager for applications with multiple components

  • nixos-unstable -

Package maintainers