CVE-2024-45049

Name of the Vulnerable Software and Affected Versions Hydra (affected versions not specified)

Description Hydra is a Continuous Integration service for Nix-based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems.

Recommendations To fix the issue, apply the patch from https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package and upgrade. As a temporary workaround for users unable to upgrade, deny the "/api/push" route in a reverse proxy, noting that this will also break the "Evaluate jobset" button in the frontend.