CVE-2021-35048: 
NixOS vulnerability analysis and mitigation

A vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability (CVE-2021-35048) was discovered in June 2021 and could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability affects Fidelis Network and Deception versions prior to 9.3.7 and version 9.4 (NVD).

The vulnerability is classified as SQL injection (CWE-89) with a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The attack vector is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impact to confidentiality, integrity, and availability (NVD, Securifera).

The vulnerability could allow attackers to dump the CommandPost database and access encrypted credentials. When exploited, it provides access to all unencrypted credentials, PII, and sensitive data exiting the monitored network through the Fidelis sensor (Securifera).

Patches and updates are available to address this vulnerability. Users are strongly encouraged to update to version 9.3.7 or later of Fidelis Network and Deception software (NVD, Securifera).

The disclosure process with the vendor proceeded smoothly, with Fidelis Cybersecurity working collaboratively to address and patch the issues in a reasonable timeframe (Securifera).