Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-25990
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Tutor LMS Plugin <= 2.1.10 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.

References

Affected products

tutor
  • =<2.1.10
tutor_lms
  • =<2.1.10

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-5536
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
A feature in LXD (LP#1829071), affects the default configuration of …

A feature in LXD (LP#1829071), affects the default configuration of Ubuntu Server which allows privileged users in the lxd group to escalate their privilege to root without requiring a sudo password.

References

Affected products

Linux
  • <24.04

Matching in nixpkgs

pkgs.vibrantlinux

Tool to automate managing your screen's saturation depending on what programs are running

  • nixos-unstable -

pkgs.perlPackages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perl538Packages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perl540Packages.LinuxACL

Perl extension for reading and setting Access Control Lists for files by libacl linux library

  • nixos-unstable -

pkgs.perlPackages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -

pkgs.perl538Packages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -

pkgs.perl540Packages.Linuxusermod

This module adds, removes and modify user and group accounts according to the passwd and shadow files syntax

  • nixos-unstable -
Permalink CVE-2023-0593
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Path traversal in yaffshiv

A path traversal vulnerability affects yaffshiv YAFFS filesystem extractor. By crafting a malicious YAFFS file, an attacker could force yaffshiv to write outside of the extraction directory. This issue affects yaffshiv up to version 0.1 included, which is the most recent at time of publication.

References

Affected products

yaffshiv
  • =<0.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-46621
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
WordPress User Avatar Plugin <= 1.4.11 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Enej Bajgoric / Gagan Sandhu / CTLT DEV User Avatar plugin <= 1.4.11 versions.

References

Affected products

user-avatar
  • =<1.4.11

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-32627
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Floating point exception in src/voc.c

A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service.

References

Affected products

sox

Matching in nixpkgs

pkgs.sox

Sample Rate Converter for audio

pkgs.soxr

Audio resampling library

  • nixos-unstable -

pkgs.soxt

GUI binding for using Open Inventor with Xt/Motif

Package maintainers

Permalink CVE-2023-49920
created 6 months ago
Apache Airflow: Missing CSRF protection on DAG/trigger

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

References

Affected products

apache-airflow
  • <2.8.0

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-0458
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Spectre V1 Gadget in do_prlimit in the Linux Kernel

A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11

References

Affected products

kernel
  • =<6.1.8

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-25584
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Out of bounds read in parse_module function in bfd/vms-alpha.c

An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.

References

Affected products

rizin
insight
radare2
binutils
mingw-binutils
gcc-toolset-11-gdb
gcc-toolset-12-gdb
gcc-toolset-11-binutils
gcc-toolset-12-binutils

Matching in nixpkgs

pkgs.rizin

UNIX-like reverse engineering framework and command-line toolset

  • nixos-unstable -

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

  • nixos-unstable -

pkgs.bintools

System binary utilities (wrapper script)

  • nixos-unstable -

pkgs.binutils

Tools for manipulating binaries (linker, assembler, etc.) (wrapper script)

  • nixos-unstable -

pkgs.binutilsNoLibc

Tools for manipulating binaries (linker, assembler, etc.) (wrapper script)

  • nixos-unstable -

pkgs.cargo-binutils

Cargo subcommands to invoke the LLVM tools shipped with the Rust toolchain

  • nixos-unstable -

pkgs.binutils_nogold

Tools for manipulating binaries (linker, assembler, etc.) (wrapper script)

  • nixos-unstable -

pkgs.binutils-unwrapped

Tools for manipulating binaries (linker, assembler, etc.)

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-46780
created 6 months ago
WordPress Alter Plugin <= 1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Alter plugin <= 1.0 versions.

References

Affected products

alter
  • =<1.0

Matching in nixpkgs

pkgs.alterx

Fast and customizable subdomain wordlist generator using DSL

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-4156
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
Heap out of bound read in builtin.c

A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.

References

Affected products

gawk
  • ==5.1.1

Matching in nixpkgs

pkgs.gawk

GNU implementation of the Awk programming language

  • nixos-unstable -

pkgs.gawkInteractive

GNU implementation of the Awk programming language

  • nixos-unstable -

Package maintainers