Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-23699
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Progress Bar Plugin <= 2.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Reynolds Progress Bar plugin <= 2.2.1 versions.

References

Affected products

progress-bar
  • =<2.2.1

Matching in nixpkgs

Permalink CVE-2023-2968
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Undefined variable usage in npm package "proxy" leads to remote denial of service

A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.

References

Affected products

proxy
  • <2.1.1

Matching in nixpkgs

pkgs.tproxy

CLI tool to proxy and analyze TCP connections

  • nixos-unstable -

pkgs._3proxy

Tiny free proxy server

  • nixos-unstable -

pkgs.g3proxy

Enterprise-oriented Generic Proxy Solutions

  • nixos-unstable -

pkgs.gvproxy

Network stack based on gVisor

  • nixos-unstable -

pkgs.haproxy

Reliable, high performance TCP/HTTP load balancer

  • nixos-unstable -

pkgs.ldproxy

Linker Proxy: a simple tool to forward linker arguments to the actual linker executable

  • nixos-unstable -

pkgs.moproxy

Transparent TCP to SOCKSv5/HTTP proxy on Linux written in Rust

  • nixos-unstable -

pkgs.ocproxy

OpenConnect proxy

  • nixos-unstable -

pkgs.reproxy

Simple edge server / reverse proxy

  • nixos-unstable -

pkgs.s3proxy

Access other storage backends via the S3 API

  • nixos-unstable -

pkgs.dnsproxy

Simple DNS proxy with DoH, DoT, and DNSCrypt support

  • nixos-unstable -

pkgs.imgproxy

Fast and secure on-the-fly image processing server written in Go

  • nixos-unstable -

pkgs.libproxy

Library that provides automatic proxy configuration management

  • nixos-unstable -

pkgs.mapproxy

Open source proxy for geospatial data

  • nixos-unstable -

pkgs.pacproxy

No-frills local HTTP proxy server powered by a proxy auto-config (PAC) file

  • nixos-unstable -

pkgs.proxyman

Capture, inspect, and manipulate HTTP(s) requests/responses with ease

  • nixos-unstable -

pkgs.proxypin

Capture HTTP(S) traffic software

  • nixos-unstable -

pkgs.proxysql

High-performance MySQL proxy

  • nixos-unstable -

pkgs.sniproxy

Transparent TLS and HTTP layer 4 proxy with SNI support

  • nixos-unstable -

pkgs.xssproxy

Forward freedesktop.org Idle Inhibition Service calls to Xss

  • nixos-unstable -

pkgs.dkimproxy

SMTP-proxy that signs and/or verifies emails

  • nixos-unstable -

pkgs.igmpproxy

Daemon that routes multicast using IGMP forwarding

  • nixos-unstable -

pkgs.mcp-proxy

MCP server which proxies other MCP servers from stdio to SSE or from SSE to stdio

  • nixos-unstable -

pkgs.proxyauth

Proxy Authentication Token - Fast authentication gateway for backend APIs

  • nixos-unstable -

pkgs.tinyproxy

Light-weight HTTP/HTTPS proxy daemon for POSIX operating systems

  • nixos-unstable -

pkgs.toxiproxy

Proxy for for simulating network conditions

  • nixos-unstable -

pkgs.tun2proxy

Tunnel (TUN) interface for SOCKS and HTTP proxies

  • nixos-unstable -

pkgs.wireproxy

Wireguard client that exposes itself as a socks5 proxy

  • nixos-unstable -

pkgs.localproxy

AWS IoT Secure Tunneling Local Proxy Reference Implementation C++

  • nixos-unstable -

pkgs.netns-proxy

Simple and slim proxy to forward ports from and into linux network namespaces

  • nixos-unstable -

pkgs.radsecproxy

Generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports

  • nixos-unstable -

pkgs.trevorproxy

Module to rotate the source IP address via SSH proxies and other methods

  • nixos-unstable -

pkgs.vouch-proxy

SSO and OAuth / OIDC login solution for NGINX using the auth_request module

  • nixos-unstable -

pkgs.xmrig-proxy

Monero (XMR) Stratum protocol proxy

  • nixos-unstable -

pkgs.alpaca-proxy

HTTP forward proxy with PAC and NTLM authentication support

  • nixos-unstable -

pkgs.oauth2-proxy

Reverse proxy that provides authentication with Google, Github, or other providers

  • nixos-unstable -

pkgs.doh-proxy-rust

Fast, mature, secure DoH server proxy written in Rust

  • nixos-unstable -

pkgs.heimdall-proxy

Cloud native Identity Aware Proxy and Access Control Decision service

  • nixos-unstable -

pkgs.proxychains-ng

Preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies

  • nixos-unstable -

pkgs.zabbix.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.immich-public-proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public

  • nixos-unstable -

pkgs.zabbix.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix60.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix60.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix70.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix70.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix72.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix72.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix74.proxy-mysql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix74.proxy-pgsql

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix60.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix70.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix72.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.zabbix74.proxy-sqlite

Enterprise-class open source distributed monitoring solution (client-server proxy)

  • nixos-unstable -

pkgs.ios-webkit-debug-proxy

DevTools proxy (Chrome Remote Debugging Protocol) for iOS devices (Safari Remote Web Inspector)

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-49166
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress MSync Plugin <= 1.0.0 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magic Logix MSync.This issue affects MSync: from n/a through 1.0.0.

References

Affected products

msync
  • =<1.0.0

Matching in nixpkgs

pkgs.lvmsync

Optimised synchronisation of LVM snapshots over a network

  • nixos-unstable -

pkgs.pimsync

Synchronise calendars and contacts

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-38000
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

References

Affected products

WordPress
  • =<6.0.5
  • =<6.2.2
  • =<6.3.1
  • =<5.9.7
  • =<6.1.3
gutenberg
  • =<16.8.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-40680
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Yoast SEO Plugin <= 21.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Yoast Yoast SEO allows Stored XSS.This issue affects Yoast SEO: from n/a through 21.0.

References

Affected products

wordpress-seo
  • =<21.0

Matching in nixpkgs

Permalink CVE-2023-3089
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
Ocp & fips mode

A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

References

Affected products

openshift
  • ==4.12.0
(as-yet-unknown)
openshift-ansible
openshift-golang-builder-container

Matching in nixpkgs

pkgs.openshift

Build, deploy, and manage your applications with Docker and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-25700
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Tutor LMS Plugin <= 2.1.10 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.

References

Affected products

tutor
  • =<2.1.10
tutor_lms
  • =<2.1.10

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-32629
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip …

Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

References

Affected products

Linux
  • <6.0.0-1020.20
  • <5.4.0-155.172
  • <6.2.0-26.26
ubantu_kernel
  • <6.0.0-1020.20
  • <5.4.0-155.172
  • <.2.0-26.26

Matching in nixpkgs

pkgs.vibrantlinux

Tool to automate managing your screen's saturation depending on what programs are running

  • nixos-unstable -

pkgs.perlPackages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perl538Packages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perl540Packages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perlPackages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -

pkgs.perl538Packages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -

pkgs.perl540Packages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -
Permalink CVE-2023-46215
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.

References

Affected products

apache-airflow
  • <2.7.0
apache-airflow-providers-celery
  • =<3.4.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-1193
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Use-after-free in setup_async_work()

A use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.

References

Affected products

Kernel
  • ==6.3-rc6
kernel
kernel-rt

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers