CVE-2019-4001: 
NixOS vulnerability analysis and mitigation

Improper input validation in Druva inSync Client 6.5.0 allows a local, authenticated attacker to execute arbitrary NodeJS code. The vulnerability was discovered in 2019 and was assigned CVE-2019-4001. The affected software is the Druva inSync Client version 6.5.0, specifically the inSync Electron application component (Tenable Advisory).

The vulnerability exists due to a misconfiguration in the inSync Electron application where the application accepts URL parameters without proper validation. The application allows a malicious local user to execute arbitrary NodeJS code in the context of the inSync client process by launching inSync with a URL parameter pointing to an attacker-controlled HTML file. This file can be either local or remote (e.g., http://12.34.56.78/index.html). The vulnerability received a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Tenable Advisory).

The vulnerability can be exploited to execute arbitrary NodeJS code in the context of the inSync client process. On MacOS systems, this vulnerability could be used to read service tokens from the MacOS keychain, and when combined with other vulnerabilities (like CVE-2019-4000), it could lead to privilege escalation to root (Tenable Advisory).

The vulnerability was fixed in Druva inSync version 6.6.2. Users should upgrade to this version or later to mitigate the vulnerability (Tenable Advisory).