Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-46093
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Webmaster Tools Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in LionScripts.Com Webmaster Tools plugin <= 2.0 versions.

References

Affected products

webmaster-tools
  • =<2.0

Matching in nixpkgs

Permalink CVE-2023-29499
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Gvariant offset table entry size is not checked in is_normal()

A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.

References

Affected products

glib
glib2
mingw-glib2

Matching in nixpkgs

pkgs.glib

C library of programming buildings blocks

  • nixos-unstable -

pkgs.libc

GNU C Library

pkgs.alglib

Numerical analysis and data processing library

  • nixos-unstable -

pkgs.glibmm

C++ interface to the GLib library

  • nixos-unstable -

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

pkgs.spglib

C library for finding and handling crystal symmetries

  • nixos-unstable -

pkgs.taglib

Library for reading and editing audio file metadata

  • nixos-unstable -

pkgs.taglib_1

Library for reading and editing audio file metadata

  • nixos-unstable -

pkgs.dbus-glib

Obsolete glib bindings for D-Bus lightweight IPC mechanism

  • nixos-unstable -

pkgs.glibcInfo

GNU Info manual of the GNU C Library

pkgs.json-glib

Library providing (de)serialization support for the JavaScript Object Notation (JSON) format

  • nixos-unstable -

pkgs.i3ipc-glib

C interface library to i3wm

  • nixos-unstable -

pkgs.libdbusmenu

Library for passing menu structures across DBus

pkgs.libzim-glib

Partial GObject/C bindings for libzim

  • nixos-unstable -

pkgs.glib-testing

Test library providing test harnesses and mock classes complementing the classes provided by GLib

  • nixos-unstable -

pkgs.jsonrpc-glib

Library to communicate using the JSON-RPC 2.0 specification

  • nixos-unstable -

pkgs.libgit2-glib

Glib wrapper library around the libgit2 git access library

  • nixos-unstable -

pkgs.libqrtr-glib

Qualcomm IPC Router protocol helper library

  • nixos-unstable -

pkgs.libvirt-glib

Wrapper library of libvirt for glib-based applications

  • nixos-unstable -

pkgs.taglib-sharp

Library for reading and writing metadata in media files

pkgs.template-glib

Library for template expansion which supports calling into GObject Introspection from templates

  • nixos-unstable -

pkgs.appstream-glib

Objects and helper methods to read and write AppStream metadata

  • nixos-unstable -

pkgs.geocode-glib_2

Convenience library for the geocoding and reverse geocoding using Nominatim service

  • nixos-unstable -

pkgs.libsignon-glib

Library for managing single signon credentials which can be used from GLib applications

  • nixos-unstable -

pkgs.libaccounts-glib

Library for managing accounts which can be used from GLib applications

  • nixos-unstable -

pkgs.haskellPackages.uu-parsinglib

Fast, online, error-correcting, monadic, applicative, merging, permuting, interleaving, idiomatic parser combinators

  • nixos-unstable -

pkgs.python312Packages.python-hglib

Library with a fast, convenient interface to Mercurial. It uses Mercurial’s command server for communication with hg

  • nixos-unstable -

pkgs.python313Packages.python-hglib

Library with a fast, convenient interface to Mercurial. It uses Mercurial’s command server for communication with hg

  • nixos-unstable -
Permalink CVE-2023-38471
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Reachable assertion in dbus_set_host_name

A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

References

Affected products

avahi

Matching in nixpkgs

pkgs.avahi

mDNS/DNS-SD implementation

  • nixos-unstable -

pkgs.guile-avahi

Bindings to Avahi for GNU Guile

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-47037
created 6 months ago
Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access)

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.  Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.  Users should upgrade to version 2.7.3 or later which has removed the vulnerability.

References

Affected products

apache-airflow
  • <2.7.3

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-34008
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress WP ERP Plugin <= 1.12.3 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in weDevs WP ERP plugin <= 1.12.3 versions.

References

Affected products

erp
  • =<1.12.3

Matching in nixpkgs

pkgs.lerpn

Curses RPN calculator written in straight Python

pkgs.serpl

Simple terminal UI for search and replace, ala VS Code

  • nixos-unstable -

pkgs.sherpa

Monte Carlo event generator for the Simulation of High-Energy Reactions of PArticles

  • nixos-unstable -

pkgs.makerpm

Clean, simple RPM packager reimplemented completely from scratch

  • nixos-unstable -

pkgs.serpent

Compiler for the Serpent language for Ethereum

pkgs.overpass

Font heavily inspired by Highway Gothic

  • nixos-unstable -

pkgs.overpush

Self-hosted, drop-in replacement for Pushover that can use XMPP

  • nixos-unstable -

pkgs.powerpipe

Dynamically query your cloud, code, logs & more with SQL

  • nixos-unstable -

pkgs.featherpad

Lightweight Qt5 Plain-Text Editor for Linux

  • nixos-unstable -

pkgs.filterpath

Retrieve a valid path from a messy piped line

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.ciderpress2

File archive utility for Apple II disk images and file archives

  • nixos-unstable -

pkgs.letterpress

Create beautiful ASCII art

  • nixos-unstable -

pkgs.pufferpanel

Free, open source game management panel

  • nixos-unstable -

pkgs.fingerprintx

Standalone utility for service discovery on open ports

  • nixos-unstable -

pkgs.hyperpotamus

YAML based HTTP script processing engine

  • nixos-unstable -

pkgs.etherpad-lite

Modern really-real-time collaborative document editor

  • nixos-unstable -

pkgs.open-interpreter

OpenAI's Code Interpreter in your terminal, running locally

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-3777
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Use-after-free in Linux kernel's netfilter: nf_tables component

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.

References

Affected products

kernel
  • <6.5

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-25794
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Nooz Plugin <= 1.6.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Mighty Digital Nooz plugin <= 1.6.0 versions.

References

Affected products

nooz
  • =<1.6.0

Matching in nixpkgs

pkgs.snooze

Tool for waiting until a particular time and then running a command

  • nixos-unstable -

pkgs.bluesnooze

Prevents your sleeping Mac from connecting to Bluetooth accessories

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-47238
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Top 10 Plugin <= 3.3.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in WebberZone Top 10 – WordPress Popular posts by WebberZone plugin <= 3.3.2 versions.

References

Affected products

top-10
  • =<3.3.2

Matching in nixpkgs

pkgs.budgie-desktop

Feature-rich, modern desktop designed to keep out the way of the user

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-0160
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Possibility of deadlock in libbpf function sock_hash_delete_elem

A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.

References

Affected products

kernel
  • ==6.4-rc1
kernel-rt

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-48741
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress ChatBot Plugin <= 4.7.8 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud AI ChatBot.This issue affects AI ChatBot: from n/a through 4.7.8.

References

Affected products

chatbot
  • =<4.7.8

Matching in nixpkgs

pkgs.gnomeExtensions.penguin-ai-chatbot

A GNOME Shell extension that provides a chatbot interface using various LLM providers, including Anthropic, OpenAI, Gemini, and OpenRouter. Features include multiple provider support, customizable models, chat history, customizable appearance, a keyboard shortcut, and copy-to-clipboard functionality.

  • nixos-unstable -
    • nixpkgs-unstable 22

Package maintainers