Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2024-37947
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Tutor LMS plugin <= 2.7.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.2.

References

Affected products

tutor
  • =<2.7.2

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-37057
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Deserialization of untrusted data can occur in versions of the …

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

References

Affected products

mlflow
  • =<*

Matching in nixpkgs

pkgs.mlflow-server

Open source platform for the machine learning lifecycle

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-39877
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

References

Affected products

airflow
  • <2.9.3
apache-airflow
  • <2.9.3

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-39863
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Apache Airflow: Potential XSS Vulnerability

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.

References

Affected products

airflow
  • <2.9.3
apache-airflow
  • <2.9.3

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-6655
7.0 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Gtk3: gtk2: library injection from cwd

A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.

References

Affected products

gtk
  • <3.24.43
gtk2
gtk3
  • *
gtk4
gimp:flatpak/gtk2
inkscape:flatpak/gtk2

Matching in nixpkgs

pkgs.lazarus

Graphical IDE for the FreePascal language

pkgs.adw-gtk3

Unofficial GTK 3 port of libadwaita

Permalink CVE-2024-37064
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Deseriliazation of untrusted data can occur in versions 3.7.0 or …

Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when loaded.

References

Affected products

ydata-profiling
  • =<*
  • =<3.7.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-6716
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
Libtiff: out-of-memory issue in tiffreadencodedstrip() may lead to denial of service

A flaw was found in libtiff. This flaw allows an attacker to create a crafted tiff file, forcing libtiff to allocate memory indefinitely. This issue can result in a denial of service of the system consuming libtiff due to memory starvation.

References

Affected products

libtiff
mingw-libtiff
compat-libtiff3

Matching in nixpkgs

pkgs.libtiff

Library and utilities for working with the TIFF image file format

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-39327
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
Openjpeg: malicious files can cause the program to enter a large loop

A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.

References

Affected products

openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-39329
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Openjpeg: resource exhaustion will occur in the opj_t1_decode_cblks function in the tcd.c

A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service.

References

Affected products

openjpeg
  • ==2.5.0
openjpeg2
gimp:flatpak/openjpeg2
inkscape:flatpak/openjpeg2
libreoffice:flatpak/openjpeg2

Matching in nixpkgs

pkgs.openjpeg

Open-source JPEG 2000 codec written in C language

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-6237
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
389-ds-base: unauthenticated user can trigger a dos by sending a specific extended search request

A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.

References

Affected products

389-ds-base
  • <2.4.5
  • *
redhat-ds:12
  • *
389-ds:1.4/389-ds-base
redhat-ds:11/389-ds-base
redhat-ds:12/389-ds-base

Matching in nixpkgs

pkgs._389-ds-base

Enterprise-class Open Source LDAP server for Linux

  • nixos-unstable -

Package maintainers