CVE-2021-33359: 
NixOS vulnerability analysis and mitigation

A vulnerability exists in gowitness versions prior to 2.3.6 that allows an unauthenticated attacker to perform arbitrary file read using the file:// scheme in the url parameter to get an image of any file (NVD).

The vulnerability is tracked as CVE-2021-33359 and has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue stems from insufficient URI validation in the screenshot and report server functionality, which allowed arbitrary URI schemes to be processed (GitHub Release).

The vulnerability allows attackers to read arbitrary files from the host filesystem by using the file:// URI scheme. This could potentially expose sensitive system files and lead to information disclosure (GitHub Release).

The vulnerability was fixed in version 2.3.6 by limiting allowed URIs to only those starting with http/https by default. A new flag --allow-insecure-uri/-A was added to optionally disable this restriction. Additionally, the report and screenshot servers now listen on localhost only by default. Users are advised to upgrade to version 2.3.6 or later (GitHub Release).

The vulnerability was responsibly disclosed by Omri Inbar from Checkmarx. The project maintainers promptly addressed the issue by releasing version 2.3.6 with security hardening measures (GitHub Release).