Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2024-37248
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Anima theme <= 1.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Anima allows Stored XSS.This issue affects Anima: from n/a through 1.4.1.

References

Affected products

anima
  • =<1.4.1

Matching in nixpkgs

pkgs.animatch

Cute match three game for the Librem 5 smartphone

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-6287
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Incorrect Address Range Calculations

Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. When checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot.

References

Affected products

rcar_gen3_firmware
  • ==v2.5
arm-trusted-firmware
  • <954d488a9798f8fda675c6b57c571b469b298f04

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-6285
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Integer Underflow in Memory Range Check in Renesas RCAR

Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-trusted-firmware. An integer underflow in image range check calculations could lead to bypassing address restrictions and loading of images to unallowed addresses.

References

Affected products

rcar_gen3_v2.5
  • <b596f580637bae919b0ac3a5471422a1f756db3b
arm-trusted-firmware
  • <b596f580637bae919b0ac3a5471422a1f756db3b

Matching in nixpkgs

Package maintainers

Permalink CVE-2024-6239
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Poppler: pdfinfo: crash in broken documents when using -dests parameter

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.

References

Affected products

poppler
  • =<24.06.1
  • *
compat-poppler022
gimp:flatpak/poppler
  • *
inkscape:flatpak/poppler
  • *
libreoffice:flatpak/poppler
  • *

Matching in nixpkgs

pkgs.poppler_data

Encoding files for Poppler, a PDF rendering library

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-35758
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Interface theme <= 3.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Theme Horse Interface allows Stored XSS.This issue affects Interface: from n/a through 3.1.0.

References

Affected products

interface
  • =<3.1.0

Matching in nixpkgs

pkgs.aws-lambda-rie

Locally test Lambda functions packaged as container images

  • nixos-unstable -

Package maintainers

Permalink CVE-2020-27352
9.3 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
When generating the systemd service units for the docker snap …

When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.

References

Affected products

snapd
  • <2.48.3

Matching in nixpkgs

Permalink CVE-2024-35767
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress Squeeze plugin <= 1.4 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4.

References

Affected products

squeeze
  • =<1.4

Matching in nixpkgs

Package maintainers

Permalink CVE-2022-28657
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Apport does not disable python crash handler before entering chroot

Apport does not disable python crash handler before entering chroot

References

Affected products

apport
  • <2.21.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-47788
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress Jetpack plugin < 12.7 - Contributor+ Broken Access Control vulnerability

Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7.

References

Affected products

jetpack
  • <12.7

Matching in nixpkgs

Permalink CVE-2023-20566
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months ago
Improper address validation in ASP with SNP enabled may potentially …

Improper address validation in ASP with SNP enabled may potentially allow an attacker to compromise guest memory integrity.

References

Affected products

PI
  • ==various
AMD EPYC™ Embedded 7003
  • ==various
AMD EPYC™ Embedded 9003
  • ==various

Matching in nixpkgs

pkgs.spoofdpi

Simple and fast anti-censorship tool written in Go

  • nixos-unstable -