Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-3610
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Use-after-free in Linux kernel's netfilter: nf_tables component

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.

References

Affected products

kernel
  • <6.4

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-38469
6.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Reachable assertion in avahi_dns_packet_append_record

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

References

Affected products

avahi

Matching in nixpkgs

pkgs.avahi

mDNS/DNS-SD implementation

  • nixos-unstable -

pkgs.guile-avahi

Bindings to Avahi for GNU Guile

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-23996
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress ProfilePress Plugin <= 4.5.3 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.3 versions.

References

Affected products

wp-user-avatar
  • =<4.5.3

Matching in nixpkgs

Permalink CVE-2023-40204
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Folders Plugin <= 2.9.2 is vulnerable to Arbitrary File Upload

Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2.

References

Affected products

folders
  • =<2.9.2

Matching in nixpkgs

pkgs.platform-folders

C++ library to look for standard platform directories so that you do not need to write platform-specific code

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-41797
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Locations Plugin <= 4.0 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Gold Plugins Locations plugin <= 4.0 versions.

References

Affected products

locations
  • =<4.0

Matching in nixpkgs

pkgs.kubectl-view-allocations

kubectl plugin to list allocations (cpu, memory, gpu,... X utilization, requested, limit, allocatable,...)

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-47177
created 6 months ago
WordPress Linker Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yakir Sitbon, Ariel Klikstein Linker plugin <= 1.2.1 versions.

References

Affected products

linker
  • =<1.2.1

Matching in nixpkgs

pkgs.linkerd_edge

Simple Kubernetes service mesh that improves security, observability and reliability

  • nixos-unstable -

pkgs.linkerd_stable

Simple Kubernetes service mesh that improves security, observability and reliability

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-37062
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Deserialization of untrusted data can occur in versions 3.7.0 or …

Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when loaded.

References

Affected products

ydata-profiling
  • =<*
  • =<3.7.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-24400
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Cookie Notice & Compliance for GDPR / CCPA Plugin <= 2.4.6 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Hu-manity.Co Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.4.6 versions.

References

Affected products

cookie-notice
  • =<2.4.6

Matching in nixpkgs

Permalink CVE-2023-25586
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Local variable `ch_type` in function `bfd_init_section_decompress_status` can be uninitialized

A flaw was found in Binutils. A logic fail in the bfd_init_section_decompress_status function may lead to the use of an uninitialized variable that can cause a crash and local denial of service.

References

Affected products

gdb
rizin
insight
radare2
binutils
mingw-binutils
gcc-toolset-11-gdb
gcc-toolset-12-gdb
gcc-toolset-11-binutils
gcc-toolset-12-binutils

Matching in nixpkgs

pkgs.gdb

GNU Project debugger

  • nixos-unstable -

pkgs.cgdb

Curses interface to gdb

  • nixos-unstable -

pkgs.gdbm

GNU dbm key/value database library

  • nixos-unstable -

pkgs.rizin

UNIX-like reverse engineering framework and command-line toolset

  • nixos-unstable -

pkgs.xxgdb

Simple but powerful graphical interface to gdb

  • nixos-unstable -

pkgs.gdbgui

Browser-based frontend for GDB

pkgs.eggdbus

D-Bus bindings for GObject

  • nixos-unstable -

pkgs.gdbuspp

GDBus++ - a glib2 D-Bus wrapper for C++

  • nixos-unstable -
    • nixpkgs-unstable 3

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

  • nixos-unstable -

pkgs.sgdboop

Applying custom artwork to Steam, using SteamGridDB

  • nixos-unstable -

pkgs.bintools

System binary utilities (wrapper script)

  • nixos-unstable -

pkgs.binutils

Tools for manipulating binaries (linker, assembler, etc.) (wrapper script)

  • nixos-unstable -

pkgs.gdb-dashboard

Modular visual interface for GDB in Python

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.binutilsNoLibc

Tools for manipulating binaries (linker, assembler, etc.) (wrapper script)

  • nixos-unstable -

pkgs.cargo-binutils

Cargo subcommands to invoke the LLVM tools shipped with the Rust toolchain

  • nixos-unstable -

pkgs.binutils_nogold

Tools for manipulating binaries (linker, assembler, etc.) (wrapper script)

  • nixos-unstable -

pkgs.binutils-unwrapped

Tools for manipulating binaries (linker, assembler, etc.)

  • nixos-unstable -

pkgs.cudaPackages.cuda_gdb

CUDA GDB. By downloading and using the packages you accept the terms and conditions of the CUDA EULA

Package maintainers

Permalink CVE-2023-23708
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Visualizer Plugin <= 3.9.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.4 versions.

References

Affected products

visualizer
  • =<3.9.4

Matching in nixpkgs

pkgs.MIDIVisualizer

Small MIDI visualizer tool, using OpenGL

  • nixos-unstable -

pkgs.midivisualizer

Small MIDI visualizer tool, using OpenGL

  • nixos-unstable -