Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-38000
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

References

Affected products

WordPress
  • =<6.0.5
  • =<6.2.2
  • =<6.3.1
  • =<5.9.7
  • =<6.1.3
gutenberg
  • =<16.8.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-40680
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Yoast SEO Plugin <= 21.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Yoast Yoast SEO allows Stored XSS.This issue affects Yoast SEO: from n/a through 21.0.

References

Affected products

wordpress-seo
  • =<21.0

Matching in nixpkgs

Permalink CVE-2023-3089
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
Ocp & fips mode

A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

References

Affected products

openshift
  • ==4.12.0
(as-yet-unknown)
openshift-ansible
openshift-golang-builder-container

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-25700
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Tutor LMS Plugin <= 2.1.10 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.

References

Affected products

tutor
  • =<2.1.10
tutor_lms
  • =<2.1.10

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-32629
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip …

Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

References

Affected products

Linux
  • <6.0.0-1020.20
  • <5.4.0-155.172
  • <6.2.0-26.26
ubantu_kernel
  • <6.0.0-1020.20
  • <5.4.0-155.172
  • <.2.0-26.26

Matching in nixpkgs

pkgs.vibrantlinux

Tool to automate managing your screen's saturation depending on what programs are running

  • nixos-unstable -

pkgs.perlPackages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perl538Packages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perl540Packages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perlPackages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -

pkgs.perl538Packages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -

pkgs.perl540Packages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -
Permalink CVE-2023-46215
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.

References

Affected products

apache-airflow
  • <2.7.0
apache-airflow-providers-celery
  • =<3.4.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-1193
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Use-after-free in setup_async_work()

A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.

References

Affected products

Kernel
  • ==6.3-rc6
kernel
kernel-rt

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-34318
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Heap-buffer-overflow in src/hcom.c

A heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure.

References

Affected products

sox

Matching in nixpkgs

pkgs.sox

Sample Rate Converter for audio

pkgs.soxr

Audio resampling library

  • nixos-unstable -

pkgs.soxt

GUI binding for using Open Inventor with Xt/Motif

Package maintainers

Permalink CVE-2023-32611
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
G_variant_byteswap() can take a long time with some non-normal inputs

A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.

References

Affected products

glib
glib2
mingw-glib2

Matching in nixpkgs

pkgs.glib

C library of programming buildings blocks

  • nixos-unstable -

pkgs.libc

GNU C Library

pkgs.alglib

Numerical analysis and data processing library

  • nixos-unstable -

pkgs.glibmm

C++ interface to the GLib library

  • nixos-unstable -

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

pkgs.spglib

C library for finding and handling crystal symmetries

  • nixos-unstable -

pkgs.taglib

Library for reading and editing audio file metadata

  • nixos-unstable -

pkgs.taglib_1

Library for reading and editing audio file metadata

  • nixos-unstable -

pkgs.dbus-glib

Obsolete glib bindings for D-Bus lightweight IPC mechanism

  • nixos-unstable -

pkgs.glibcInfo

GNU Info manual of the GNU C Library

pkgs.json-glib

Library providing (de)serialization support for the JavaScript Object Notation (JSON) format

  • nixos-unstable -

pkgs.i3ipc-glib

C interface library to i3wm

  • nixos-unstable -

pkgs.libdbusmenu

Library for passing menu structures across DBus

pkgs.libzim-glib

Partial GObject/C bindings for libzim

  • nixos-unstable -

pkgs.glib-testing

Test library providing test harnesses and mock classes complementing the classes provided by GLib

  • nixos-unstable -

pkgs.jsonrpc-glib

Library to communicate using the JSON-RPC 2.0 specification

  • nixos-unstable -

pkgs.libgit2-glib

Glib wrapper library around the libgit2 git access library

  • nixos-unstable -

pkgs.libqrtr-glib

Qualcomm IPC Router protocol helper library

  • nixos-unstable -

pkgs.libvirt-glib

Wrapper library of libvirt for glib-based applications

  • nixos-unstable -

pkgs.taglib-sharp

Library for reading and writing metadata in media files

pkgs.template-glib

Library for template expansion which supports calling into GObject Introspection from templates

  • nixos-unstable -

pkgs.appstream-glib

Objects and helper methods to read and write AppStream metadata

  • nixos-unstable -

pkgs.geocode-glib_2

Convenience library for the geocoding and reverse geocoding using Nominatim service

  • nixos-unstable -

pkgs.libsignon-glib

Library for managing single signon credentials which can be used from GLib applications

  • nixos-unstable -

pkgs.libaccounts-glib

Library for managing accounts which can be used from GLib applications

  • nixos-unstable -

pkgs.haskellPackages.uu-parsinglib

Fast, online, error-correcting, monadic, applicative, merging, permuting, interleaving, idiomatic parser combinators

  • nixos-unstable -

pkgs.python312Packages.python-hglib

Library with a fast, convenient interface to Mercurial. It uses Mercurial’s command server for communication with hg

  • nixos-unstable -

pkgs.python313Packages.python-hglib

Library with a fast, convenient interface to Mercurial. It uses Mercurial’s command server for communication with hg

  • nixos-unstable -
Permalink CVE-2023-30500
5.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions.

References

Affected products

wpforms
  • =<1.8.1.2
wpforms-lite
  • =<1.8.1.2

Matching in nixpkgs