Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2022-2084
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
sensitive data exposure in cloud-init logs

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

References

Affected products

cloud-init
  • <23.0

Matching in nixpkgs

pkgs.cloud-init

Provides configuration and customization of cloud instance

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-3301
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Triggerable assertion due to race condition in hot-unplug

A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.

References

Affected products

qemu
  • ==8.1.0-rc0
qemu-kvm
qemu-kvm-ma
qemu-kvm-rhev
virt:av/qemu-kvm
virt:rhel/qemu-kvm

Matching in nixpkgs

pkgs.qemu

Generic and open source machine emulator and virtualizer

  • nixos-unstable -

pkgs.qemu_kvm

Generic and open source machine emulator and virtualizer

  • nixos-unstable -

pkgs.qemu_xen

Generic and open source machine emulator and virtualizer

  • nixos-unstable -

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

  • nixos-unstable -

pkgs.qemu_full

Generic and open source machine emulator and virtualizer

  • nixos-unstable -

pkgs.qemu_test

Generic and open source machine emulator and virtualizer

  • nixos-unstable -

pkgs.qemu-utils

Generic and open source machine emulator and virtualizer

  • nixos-unstable -

pkgs.qemu-python-utils

Python tooling used by the QEMU project to build, configure, and test QEMU

Package maintainers

Permalink CVE-2023-32549
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Landscape insecure token generation

Landscape cryptographic keys were insecurely generated with a weak pseudo-random generator.

References

Affected products

landscape
  • <19.10.05

Matching in nixpkgs

pkgs.terraform-landscape

Improve Terraform's plan output to be easier to read and understand

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-20519
created 6 months ago
A Use-After-Free vulnerability in the management of an SNP guest …

A Use-After-Free vulnerability in the management of an SNP guest context page may allow a malicious hypervisor to masquerade as the guest's migration agent resulting in a potential loss of guest integrity.

References

Affected products

PI
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

  • nixos-unstable -
Permalink CVE-2023-24415
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress AI ChatBot plugin <= 4.2.8 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions.

References

Affected products

chatbot
  • =<4.2.8

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable -
    • nixpkgs-unstable 22

Package maintainers

Permalink CVE-2024-3056
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Podman: containers in shared ipc namespace are vulnerable to denial of service attack

A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.

References

Affected products

kernel
podman
  • ==5.0.0
kernel-rt
container-tools:4.0/podman
container-tools:rhel8/podman

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-1523
10.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Using the TIOCLINUX ioctl request, a malicious snap could inject …

Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap sandbox after the snap exits. Graphical terminal emulators like xterm, gnome-terminal and others are not affected - this can only be exploited when snaps are run on a virtual console.

References

Affected products

snapd
  • ==2.59.5

Matching in nixpkgs

Permalink CVE-2023-23699
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Progress Bar Plugin <= 2.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Reynolds Progress Bar plugin <= 2.2.1 versions.

References

Affected products

progress-bar
  • =<2.2.1

Matching in nixpkgs

Permalink CVE-2023-2968
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Undefined variable usage in npm package "proxy" leads to remote denial of service

A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.

References

Affected products

proxy
  • <2.1.1

Matching in nixpkgs

pkgs.tproxy

CLI tool to proxy and analyze TCP connections

  • nixos-unstable -

pkgs._3proxy

Tiny free proxy server

  • nixos-unstable -

pkgs.g3proxy

Enterprise-oriented Generic Proxy Solutions

  • nixos-unstable -

pkgs.gvproxy

Network stack based on gVisor

  • nixos-unstable -

pkgs.haproxy

Reliable, high performance TCP/HTTP load balancer

  • nixos-unstable -

pkgs.ldproxy

Linker Proxy: a simple tool to forward linker arguments to the actual linker executable

  • nixos-unstable -

pkgs.moproxy

Transparent TCP to SOCKSv5/HTTP proxy on Linux written in Rust

  • nixos-unstable -

pkgs.ocproxy

OpenConnect proxy

  • nixos-unstable -

pkgs.reproxy

Simple edge server / reverse proxy

  • nixos-unstable -

pkgs.s3proxy

Access other storage backends via the S3 API

  • nixos-unstable -

pkgs.dnsproxy

Simple DNS proxy with DoH, DoT, and DNSCrypt support

  • nixos-unstable -

pkgs.imgproxy

Fast and secure on-the-fly image processing server written in Go

  • nixos-unstable -

pkgs.libproxy

Library that provides automatic proxy configuration management

  • nixos-unstable -

pkgs.mapproxy

Open source proxy for geospatial data

  • nixos-unstable -

pkgs.pacproxy

No-frills local HTTP proxy server powered by a proxy auto-config (PAC) file

  • nixos-unstable -

pkgs.proxyman

Capture, inspect, and manipulate HTTP(s) requests/responses with ease

  • nixos-unstable -

pkgs.proxypin

Capture HTTP(S) traffic software

  • nixos-unstable -

pkgs.proxysql

High-performance MySQL proxy

  • nixos-unstable -

pkgs.sniproxy

Transparent TLS and HTTP layer 4 proxy with SNI support

  • nixos-unstable -

pkgs.xssproxy

Forward freedesktop.org Idle Inhibition Service calls to Xss

  • nixos-unstable -

pkgs.dkimproxy

SMTP-proxy that signs and/or verifies emails

  • nixos-unstable -

pkgs.igmpproxy

Daemon that routes multicast using IGMP forwarding

  • nixos-unstable -

pkgs.mcp-proxy

MCP server which proxies other MCP servers from stdio to SSE or from SSE to stdio

  • nixos-unstable -

pkgs.proxyauth

Proxy Authentication Token - Fast authentication gateway for backend APIs

  • nixos-unstable -

pkgs.tinyproxy

Light-weight HTTP/HTTPS proxy daemon for POSIX operating systems

  • nixos-unstable -

pkgs.toxiproxy

Proxy for for simulating network conditions

  • nixos-unstable -

pkgs.tun2proxy

Tunnel (TUN) interface for SOCKS and HTTP proxies

  • nixos-unstable -

pkgs.wireproxy

Wireguard client that exposes itself as a socks5 proxy

  • nixos-unstable -

pkgs.localproxy

AWS IoT Secure Tunneling Local Proxy Reference Implementation C++

  • nixos-unstable -

pkgs.netns-proxy

Simple and slim proxy to forward ports from and into linux network namespaces

  • nixos-unstable -

pkgs.radsecproxy

Generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports

  • nixos-unstable -

pkgs.trevorproxy

Module to rotate the source IP address via SSH proxies and other methods

  • nixos-unstable -

pkgs.vouch-proxy

SSO and OAuth / OIDC login solution for NGINX using the auth_request module

  • nixos-unstable -

pkgs.xmrig-proxy

Monero (XMR) Stratum protocol proxy

  • nixos-unstable -

pkgs.alpaca-proxy

HTTP forward proxy with PAC and NTLM authentication support

  • nixos-unstable -

pkgs.oauth2-proxy

Reverse proxy that provides authentication with Google, Github, or other providers

  • nixos-unstable -

pkgs.doh-proxy-rust

Fast, mature, secure DoH server proxy written in Rust

  • nixos-unstable -

pkgs.heimdall-proxy

Cloud native Identity Aware Proxy and Access Control Decision service

  • nixos-unstable -

pkgs.proxychains-ng

Preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies

  • nixos-unstable -

pkgs.zabbix.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.immich-public-proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public

  • nixos-unstable -

pkgs.zabbix.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix60.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix60.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix70.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix70.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix72.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix72.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix74.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix74.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix60.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix70.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix72.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix74.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.ios-webkit-debug-proxy

DevTools proxy (Chrome Remote Debugging Protocol) for iOS devices (Safari Remote Web Inspector)

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-49166
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress MSync Plugin <= 1.0.0 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magic Logix MSync.This issue affects MSync: from n/a through 1.0.0.

References

Affected products

msync
  • =<1.0.0

Matching in nixpkgs

pkgs.lvmsync

Optimised synchronisation of LVM snapshots over a network

  • nixos-unstable -

pkgs.pimsync

Synchronise calendars and contacts

  • nixos-unstable -

Package maintainers